Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
auto_login grants SUPERUSER tokens to any unauthenticated network caller (PR:N, AV:N, AC:L), and exec()-based code execution yields full host compromise (C:H/I:H/A:H).
Primary rating from Vendor (ibm).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to chain /api/v1/auto_login (mints SUPERUSER tokens to any network caller) with /api/v1/validate/code (executes user code via exec()) to achieve full RCE on default Langflow deployments
AnalysisAI
Unauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets any network-reachable attacker achieve full RCE on default deployments by chaining two endpoints: /api/v1/auto_login, which mints SUPERUSER tokens to any caller, and /api/v1/validate/code, which passes user-supplied code to Python's exec(). CVSS is 9.8 (AV:N/AC:L/PR:N/UI:N) and a vendor patch is available; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target run a default Langflow OSS deployment (versions 1.0.0-1.10.0) with the auto_login feature enabled, which mints SUPERUSER tokens to any unauthenticated network caller, and that both the /api/v1/auto_login and /api/v1/validate/code endpoints be network-reachable by the attacker. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine high-priority issue rather than an inflated CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scanning for internet-exposed Langflow instances sends an unauthenticated request to /api/v1/auto_login and receives a SUPERUSER token, then submits a malicious Python payload to /api/v1/validate/code, which executes it via exec() and yields a shell on the server. Given the network vector and low complexity (AV:N/AC:L/PR:N/UI:N), this requires no user interaction and can be fully scripted; no public exploit was identified at time of analysis, but the chain is straightforward to reproduce. |
| Remediation | Upgrade to the fixed IBM Langflow OSS release per the vendor advisory at https://www.ibm.com/support/pages/node/7278927 (Patch available per vendor advisory; the exact fixed version is not stated in the provided data and should be taken directly from IBM's page). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all IBM Langflow OSS deployments and identify instances running versions 1.0.0 through 1.10.0; immediately restrict network access to these systems from untrusted sources or isolate from production networks if restriction is impractical. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Langflow Oss
View allUnauthenticated remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.3 allows attackers to fully comprom
Code injection in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets an authenticated user execute arbitrary operating-
Remote code execution in IBM Langflow OSS 1.0.0 through 1.10.0 allows attackers to run arbitrary code by planting a mali
Authenticated remote code execution in IBM Langflow OSS 1.0.0 through 1.10.0 lets any logged-in user run arbitrary Pytho
Privilege escalation to remote code execution in IBM Langflow OSS 1.0.0 through 1.10.0 allows an authenticated user to e
Arbitrary file write in IBM Langflow OSS 1.0.0 through 1.10.0 lets an attacker who controls an external HTTP server plan
Arbitrary Python code execution in IBM Langflow OSS 1.0.0 through 1.10.0 (Langflow versions up to 1.9.2) allows authenti
Insecure deserialization (CWE-502) in IBM Langflow OSS versions 1.0.0 through 1.10.0 lets any party with access to the b
Arbitrary code execution in IBM Langflow OSS versions 1.0.0 through 1.10.0 allows remote attackers to run code on the ho
Authorization bypass in IBM Langflow OSS 1.0.0 through 1.8.4 allows unauthenticated remote attackers to access protected
Improper authorization enforcement in IBM Langflow OSS 1.0.0 through 1.9.6 lets unauthenticated remote attackers reach p
Unauthenticated remote code execution in IBM Langflow OSS 1.0.0 through 1.10.0 stems from broken webhook authentication
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45236
GHSA-5wm9-vgmg-cjv6