Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A weakness has been identified in langflow-ai langflow up to 1.8.4. This affects the function eval of the file src/lfx/src/lfx/components/llm_operations/lambda_filter.p of the component LambdaFilterComponent. Executing a manipulation can lead to code injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Code injection via the eval function in Langflow's LambdaFilterComponent allows remote authenticated attackers to execute arbitrary code with low-to-medium integrity and confidentiality impact. The vulnerability affects Langflow up to version 1.8.4, requires user login (PR:L), and has publicly available exploit code. The vendor did not respond to early disclosure notification.
Technical ContextAI
The vulnerability exists in the LambdaFilterComponent's eval function (src/lfx/src/lfx/components/llm_operations/lambda_filter.p) which improperly handles user-supplied input without adequate sanitization or sandboxing. The weakness is classified as CWE-94 (Code Injection), a class of flaws where untrusted data is passed to an interpreter or evaluator function without proper validation. In Python and similar languages, eval() functions execute arbitrary code with full interpreter privileges. Langflow's Lambda filter component likely uses Python's eval() or similar constructs to process filter expressions, allowing attackers who can craft malicious input through the Langflow interface to break out of intended code execution boundaries.
RemediationAI
Upgrade Langflow to a version newer than 1.8.4 once a patched release is available; however, no vendor-released patch version is identified in provided data. Immediate compensating controls should include: (1) Restrict network access to Langflow deployments using firewall rules or VPN-only access, reducing exposure to remote attackers despite PR:L requirement; (2) Disable or remove the LambdaFilterComponent from the Langflow UI if the lambda filter feature is not in use, eliminating the attack surface; (3) Implement strict input validation on lambda filter expressions by intercepting and sanitizing filter parameters before they reach the eval function (requires code modification if no configuration option exists); (4) Run Langflow with minimal Python privileges and in isolated environments (containers, dedicated user accounts) to limit impact if code injection succeeds; (5) Monitor and audit lambda filter usage for suspicious patterns. Contact langflow-ai for patch availability and timeline given their non-response to disclosure.
Langflow before 1.3.0 allows unauthenticated remote code injection through the /api/v1/validate/code endpoint, enabling
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote cod
Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary
Langflow has a third RCE vulnerability via exec_globals (EPSS 10.0%) allowing inclusion of untrusted code that executes
langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the
langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component.
Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_compo
Langflow before 1.7.0.dev45 exposes multiple API endpoints without authentication, allowing unauthenticated access to us
Langflow versions prior to 1.0.13 suffer from a Privilege Escalation vulnerability, allowing a remote and low privileged
Langflow has a code injection vulnerability in the code component (EPSS 2.6%) enabling remote code execution through the
Langflow has an eval injection in eval_custom_component_code (EPSS 2.0%) enabling remote code execution through crafted
Remote code execution in IBM Langflow OSS 1.0.0 through 1.9.3 lets an unauthenticated attacker inject and run arbitrary
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26838