Critical Langflow RCE Vulnerability Scores CVSS 10

Critical Langflow Flaws Allow Unauthenticated Remote Code Execution

Do Son June 25, 2026 2 minutes read

At a glance

Product: IBM Langflow OSS
Vulnerabilities: 2 flaws (CVE-2026-10561, CVE-2026-7664)
Highest severity: 10.0 (Critical · CVSSv3)
Worst impact: Unauthenticated Remote Code Execution in PythonREPLComponent via Builtins Injection
Status: No confirmed exploitation yet
Action: Upgrade Langflow OSS to version 1.9.4 now

CVE	CVSS (CVSSv3)	Type	Fixed in	Status
CVE-2026-10561	10	CWE-94	—	Not exploited
CVE-2026-7664	9.8	CWE-287	—	Not exploited

TL;DR

IBM disclosed two critical flaws in Langflow OSS, the open-source AI workflow builder. One is a Langflow RCE vulnerability that scores a maximum CVSS of 10. Both let unauthenticated attackers reach protected functions.

Why It Matters

Langflow ships with risky defaults. By default, the platform auto-logins users and grants a superuser token without credentials. Therefore, exposed instances sit open to anyone on the internet. Past Langflow bugs also drew fast attacks. For example, researchers at Sysdig saw threat actors exploit CVE-2026-33017 within roughly 20 hours of disclosure. Security firms further count about 7,000 Langflow instances reachable online. So these new flaws deserve quick attention.

How the Attacks Work

The Langflow RCE vulnerability and the authorization bug share one root cause: missing trust boundaries.

CVE-2026-10561: Python execution flaw

This flaw sits in the Python Interpreter component. The component builds a restricted globals dictionary but never resets builtins. As a result, Python’s exec() reinserts the full builtins set at runtime. That move exposes import, open, and eval to a caller. Combined with the default auto-login, the bug becomes unauthenticated RCE. An attacker could then run OS commands and steal provider API keys.

CVE-2026-7664: Authorization bypass

The second flaw weakens authorization in Langflow’s MCP transport endpoint. By default, the handler trusts the caller and skips any credential check. So an unauthenticated user can reach protected project resources and run flows.

Exploitation Status

IBM has not reported active exploitation of either CVE. Likewise, no public proof-of-concept exists for these two specific flaws yet. Still, Langflow’s track record makes patching urgent.

Affected Versions

The code-execution flaw affects Langflow OSS 1.0.0 through 1.9.3. The authorization flaw affects Langflow OSS 1.0.0 through 1.8.4.

Patch and Mitigation

Upgrade Langflow OSS to version 1.9.4 right now. This release fixes both issues in one step. You can pull the latest build from the official Langflow package on PyPI. Until you patch, disable AUTO_LOGIN and require webhook authentication. Also, keep Langflow off the public internet behind a VPN or proxy. Treat this Langflow RCE vulnerability as a top priority.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.