Skip to main content

IBM Langflow OSS CVE-2026-9198

| EUVDEUVD-2026-45236 CRITICAL
Code Injection (CWE-94)
2026-07-17 ibm GHSA-5wm9-vgmg-cjv6
9.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (ibm) PRIMARY
CRITICAL
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

auto_login grants SUPERUSER tokens to any unauthenticated network caller (PR:N, AV:N, AC:L), and exec()-based code execution yields full host compromise (C:H/I:H/A:H).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (ibm).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 18:16 vuln.today
CVE Published
Jul 17, 2026 - 17:36 cve.org
CRITICAL 9.8

DescriptionNVD

IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to chain /api/v1/auto_login (mints SUPERUSER tokens to any network caller) with /api/v1/validate/code (executes user code via exec()) to achieve full RCE on default Langflow deployments

AnalysisAI

Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets any network-reachable attacker achieve full RCE on default deployments by chaining two endpoints: /api/v1/auto_login, which mints SUPERUSER tokens to any caller, and /api/v1/validate/code, which passes user-supplied code to Python's exec(). CVSS is 9.8 (AV:N/AC:L/PR:N/UI:N) and a vendor patch is available; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed Langflow API
Delivery
Request /api/v1/auto_login
Exploit
Obtain SUPERUSER token
Execution
Submit code to /api/v1/validate/code
Persist
exec() runs attacker payload
Impact
Remote code execution on server

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target run a default Langflow OSS deployment (versions 1.0.0-1.10.0) with the auto_login feature enabled, which mints SUPERUSER tokens to any unauthenticated network caller, and that both the /api/v1/auto_login and /api/v1/validate/code endpoints be network-reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine high-priority issue rather than an inflated CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scanning for internet-exposed Langflow instances sends an unauthenticated request to /api/v1/auto_login and receives a SUPERUSER token, then submits a malicious Python payload to /api/v1/validate/code, which executes it via exec() and yields a shell on the server. Given the network vector and low complexity (AV:N/AC:L/PR:N/UI:N), this requires no user interaction and can be fully scripted; no public exploit was identified at time of analysis, but the chain is straightforward to reproduce.
Remediation Upgrade to the fixed IBM Langflow OSS release per the vendor advisory at https://www.ibm.com/support/pages/node/7278927 (Patch available per vendor advisory; the exact fixed version is not stated in the provided data and should be taken directly from IBM's page). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all IBM Langflow OSS deployments and identify instances running versions 1.0.0 through 1.10.0; immediately restrict network access to these systems from untrusted sources or isolate from production networks if restriction is impractical. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-10561 CRITICAL
10.0 Jun 22

Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully comprom

CVE-2026-7873 CRITICAL
9.9 Jun 30

Code injection in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets an authenticated user execute arbitrary operating-

CVE-2026-8476 CRITICAL
9.9 Jul 17

Remote code execution in IBM Langflow OSS 1.0.0 through 1.10.0 allows attackers to run arbitrary code by planting a mali

CVE-2026-8481 CRITICAL
9.9 Jul 17

Authenticated remote code execution in IBM Langflow OSS 1.0.0 through 1.10.0 lets any logged-in user run arbitrary Pytho

CVE-2026-8635 CRITICAL
9.9 Jul 17

Privilege escalation to remote code execution in IBM Langflow OSS 1.0.0 through 1.10.0 allows an authenticated user to e

CVE-2026-8859 CRITICAL
9.9 Jul 17

Arbitrary file write in IBM Langflow OSS 1.0.0 through 1.10.0 lets an attacker who controls an external HTTP server plan

CVE-2026-9135 CRITICAL
9.9 Jul 17

Arbitrary Python code execution in IBM Langflow OSS 1.0.0 through 1.10.0 (Langflow versions up to 1.9.2) allows authenti

CVE-2026-7871 CRITICAL
9.8 Jun 30

Insecure deserialization (CWE-502) in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets any party with access to the b

CVE-2026-7803 CRITICAL
9.8 Jun 30

Arbitrary code execution in IBM Langflow OSS versions 1.0.0 through 1.10.0 allows remote attackers to run code on the ho

CVE-2026-7664 CRITICAL
9.8 Jun 22

Authorization bypass in IBM Langflow OSS 1.0.0 through 1.8.4 allows unauthenticated remote attackers to access protected

CVE-2026-7663 CRITICAL
9.8 Jun 30

Improper authorization enforcement in IBM Langflow OSS 1.0.0 through 1.9.6 lets unauthenticated remote attackers reach p

CVE-2026-8505 CRITICAL
9.8 Jul 17

Unauthenticated remote code execution in IBM Langflow OSS 1.0.0 through 1.10.0 stems from broken webhook authentication

Share

CVE-2026-9198 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy