Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local-only vector, low-privilege access required, no scope change; impact rated Low across CIA consistent with provided CVSS 4.0 VC:L/VI:L/VA:L ratings.
Primary rating from Vendor (vuldb).
CVSS VectorVendor: vuldb
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in langflow-ai langflow up to 1.9.3. This affects an unknown function of the component Bundle URL Loader. The manipulation leads to code injection. The attack needs to be performed locally. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Code injection in langflow's Bundle URL Loader component allows local attackers with low privileges to inject and execute arbitrary code within the langflow process across versions 1.9.0 through 1.9.3. A publicly available proof-of-concept demonstrating startup-time RCE via maliciously crafted bundle URLs has been published by the researcher, though the CVSS 4.0 vector (VC:L/VI:L/VA:L) rates impact as low - a discrepancy with the RCE claim in the PoC that warrants independent verification. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Local system access is required - network-based exploitation is explicitly ruled out by AV:L in the CVSS 4.0 vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 1.9 places this in the lowest risk tier, driven by a local-only attack vector (AV:L) and low privilege requirement (PR:L), which severely constrains the attack surface to users with existing local system access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privilege local user on a system running langflow 1.9.x submits a crafted bundle URL to the Bundle URL Loader component; during component startup or initialization, insufficient input validation causes the injected payload within the bundle to be parsed and executed in the langflow process context. A proof-of-concept demonstrating this technique is publicly available at https://github.com/dxz0069/softwareoverflow/blob/main/langflow_bundle_url_custom_component_startup_rce_vulndb.md, reducing the skill barrier for exploitation. |
| Remediation | No vendor-released patch is available at time of analysis - the vendor did not respond to the researcher's coordinated disclosure. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Langflow before 1.3.0 allows unauthenticated remote code injection through the /api/v1/validate/code endpoint, enabling
Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote cod
Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary
Langflow has a third RCE vulnerability via exec_globals (EPSS 10.0%) allowing inclusion of untrusted code that executes
langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the
langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component.
Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_compo
Langflow before 1.7.0.dev45 exposes multiple API endpoints without authentication, allowing unauthenticated access to us
Langflow versions prior to 1.0.13 suffer from a Privilege Escalation vulnerability, allowing a remote and low privileged
Langflow has a code injection vulnerability in the code component (EPSS 2.6%) enabling remote code execution through the
Langflow has an eval injection in eval_custom_component_code (EPSS 2.0%) enabling remote code execution through crafted
Remote code execution in IBM Langflow OSS 1.0.0 through 1.9.3 lets an unauthenticated attacker inject and run arbitrary
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38203
GHSA-fxq6-8jqq-rh9v