PROBABLYPWNED
VulnerabilitiesJuly 7, 20264 min read

Langflow Flaw Lets Anyone Execute Code on AI Workflow Servers

CVE-2026-10134 enables unauthenticated RCE in Langflow OSS through public flows. Attackers can run arbitrary Python on servers via the build endpoint.

Marcus Chen

A critical vulnerability in Langflow OSS allows unauthenticated attackers to execute arbitrary Python code on servers running the popular LLM application framework. CVE-2026-10134 affects versions 1.0.0 through 1.9.3 and requires only that a legitimate user has created a public flow—a common practice for sharing AI workflows.

Langflow has gained popularity as a visual tool for building LLM-powered applications, letting users design complex AI pipelines without writing code. The same flexibility that makes it useful for rapid prototyping also created this vulnerability: the PythonCodeStructuredTool component executes user-supplied Python through the exec() function without adequate safeguards.

How the Vulnerability Works

The flaw centers on Langflow's flow-building mechanism. When users create flows that include the PythonCodeStructuredTool, they can define custom Python code that executes during flow builds. This is by design—it enables powerful customization.

The problem emerges when flows are marked as public. Langflow exposes two endpoints for building flows:

  1. /api/v1/build/{flow_id}/flow - Requires authentication
  2. /api/v1/build_public_tmp/{flow_id}/flow - No authentication required for public flows

Once a legitimate user creates a public flow containing PythonCodeStructuredTool, any visitor can submit build requests to that flow. The server executes whatever Python code is embedded in the flow, giving attackers full code execution with the privileges of the Langflow process.

An attacker doesn't need to modify the flow itself. They simply need to find a public flow using PythonCodeStructuredTool and trigger a build. In practice, this often means server compromise is one HTTP request away from discovery.

Exploitation Paths

Security researchers identified multiple attack scenarios:

Direct Exploitation: Attackers scan for Langflow instances, enumerate public flows, identify those using PythonCodeStructuredTool, and trigger builds to execute payloads. This could install backdoors, steal credentials, or pivot to other systems.

Stored Exploitation: If attackers can create their own flows (even as authenticated low-privilege users), they can build malicious public flows and wait for other users or automated systems to trigger them.

Data Theft: The exec() call has access to Langflow's runtime context. Attackers can read other flows, extract API keys for connected LLM providers, and access any secrets configured in the application.

This vulnerability shares similarities with other AI tool security issues we've covered, where the rush to deploy AI capabilities has sometimes outpaced security considerations.

Impact on Organizations

Langflow deployments often contain sensitive data:

  • API keys for OpenAI, Anthropic, Cohere, and other LLM providers
  • Database connection strings
  • Internal service credentials
  • Proprietary prompts and business logic

A compromised Langflow instance could expose all of this while also providing attackers with a foothold for further network penetration. Given that Langflow often runs in cloud environments with access to other services, the blast radius can extend well beyond the application itself.

Remediation Steps

IBM released patches addressing the vulnerability. Organizations should:

  1. Upgrade immediately to Langflow version 1.9.4 or later
  2. Audit public flows - Review all flows marked as public and assess whether public access is necessary
  3. Restrict PythonCodeStructuredTool - Consider whether this component is needed, and if so, limit who can create flows using it
  4. Check for compromise - Review server logs for unusual build requests, particularly from external IPs
  5. Rotate secrets - Any API keys or credentials accessible to Langflow should be rotated

For organizations unable to immediately upgrade:

  • Remove public access from all flows
  • Implement network-level access controls to restrict who can reach Langflow endpoints
  • Consider disabling the public flow build endpoint entirely

Broader AI Security Concerns

This vulnerability reflects a broader pattern in the AI tooling ecosystem. The same powerful capabilities that make these tools useful—executing custom code, connecting to external services, processing untrusted inputs—also create significant attack surface.

Langflow isn't alone. We've seen similar issues in AI coding assistants and automation platforms where the drive to make AI accessible has sometimes meant deploying code execution capabilities without adequate authentication or sandboxing.

Organizations evaluating AI frameworks should assess:

  • What code execution capabilities exist?
  • How are public/unauthenticated endpoints protected?
  • What secrets are accessible to the framework?
  • How is user-supplied content sanitized?

For Langflow specifically, the fix addresses this immediate vulnerability, but teams should review their deployment architecture to ensure defense in depth. API gateways, network segmentation, and principle of least privilege all help limit damage if similar vulnerabilities emerge in the future.

Related Articles