CVE-2026-0768

Langflow code Code Injection Remote Code Execution Vulnerability

Assigner: zdi
Reserved: 08.01.2026 Published: 23.01.2026 Updated: 24.01.2026

Langflow code Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of the code parameter provided to the validate endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of root. . Was ZDI-CAN-27322.

Metrics

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.0

Product Status

Vendor	Langflow
Product	Langflow
Versions	Default: unknown Version 1.4.2 is affected

Vendor

Langflow

Product

Langflow

Versions

Default: unknown

Version 1.4.2 is affected

References

Problem Types

CWE-94: Improper Control of Generation of Code ('Code Injection') CWE

CVE-2026-0768 PUBLISHED

Langflow code Code Injection Remote Code Execution Vulnerability

Metrics

Product Status

References

Problem Types