Langflow Flaw Lets Anyone Execute Code on AI Workflow Servers
CVE-2026-10134 enables unauthenticated RCE in Langflow OSS through public flows. Attackers can run arbitrary Python on servers via the build endpoint.
A critical vulnerability in Langflow OSS allows unauthenticated attackers to execute arbitrary Python code on servers running the popular LLM application framework. CVE-2026-10134 affects versions 1.0.0 through 1.9.3 and requires only that a legitimate user has created a public flow—a common practice for sharing AI workflows.
Langflow has gained popularity as a visual tool for building LLM-powered applications, letting users design complex AI pipelines without writing code. The same flexibility that makes it useful for rapid prototyping also created this vulnerability: the PythonCodeStructuredTool component executes user-supplied Python through the exec() function without adequate safeguards.
How the Vulnerability Works
The flaw centers on Langflow's flow-building mechanism. When users create flows that include the PythonCodeStructuredTool, they can define custom Python code that executes during flow builds. This is by design—it enables powerful customization.
The problem emerges when flows are marked as public. Langflow exposes two endpoints for building flows:
/api/v1/build/{flow_id}/flow- Requires authentication/api/v1/build_public_tmp/{flow_id}/flow- No authentication required for public flows
Once a legitimate user creates a public flow containing PythonCodeStructuredTool, any visitor can submit build requests to that flow. The server executes whatever Python code is embedded in the flow, giving attackers full code execution with the privileges of the Langflow process.
An attacker doesn't need to modify the flow itself. They simply need to find a public flow using PythonCodeStructuredTool and trigger a build. In practice, this often means server compromise is one HTTP request away from discovery.
Exploitation Paths
Security researchers identified multiple attack scenarios:
Direct Exploitation: Attackers scan for Langflow instances, enumerate public flows, identify those using PythonCodeStructuredTool, and trigger builds to execute payloads. This could install backdoors, steal credentials, or pivot to other systems.
Stored Exploitation: If attackers can create their own flows (even as authenticated low-privilege users), they can build malicious public flows and wait for other users or automated systems to trigger them.
Data Theft: The exec() call has access to Langflow's runtime context. Attackers can read other flows, extract API keys for connected LLM providers, and access any secrets configured in the application.
This vulnerability shares similarities with other AI tool security issues we've covered, where the rush to deploy AI capabilities has sometimes outpaced security considerations.
Impact on Organizations
Langflow deployments often contain sensitive data:
- API keys for OpenAI, Anthropic, Cohere, and other LLM providers
- Database connection strings
- Internal service credentials
- Proprietary prompts and business logic
A compromised Langflow instance could expose all of this while also providing attackers with a foothold for further network penetration. Given that Langflow often runs in cloud environments with access to other services, the blast radius can extend well beyond the application itself.
Remediation Steps
IBM released patches addressing the vulnerability. Organizations should:
- Upgrade immediately to Langflow version 1.9.4 or later
- Audit public flows - Review all flows marked as public and assess whether public access is necessary
- Restrict PythonCodeStructuredTool - Consider whether this component is needed, and if so, limit who can create flows using it
- Check for compromise - Review server logs for unusual build requests, particularly from external IPs
- Rotate secrets - Any API keys or credentials accessible to Langflow should be rotated
For organizations unable to immediately upgrade:
- Remove public access from all flows
- Implement network-level access controls to restrict who can reach Langflow endpoints
- Consider disabling the public flow build endpoint entirely
Broader AI Security Concerns
This vulnerability reflects a broader pattern in the AI tooling ecosystem. The same powerful capabilities that make these tools useful—executing custom code, connecting to external services, processing untrusted inputs—also create significant attack surface.
Langflow isn't alone. We've seen similar issues in AI coding assistants and automation platforms where the drive to make AI accessible has sometimes meant deploying code execution capabilities without adequate authentication or sandboxing.
Organizations evaluating AI frameworks should assess:
- What code execution capabilities exist?
- How are public/unauthenticated endpoints protected?
- What secrets are accessible to the framework?
- How is user-supplied content sanitized?
For Langflow specifically, the fix addresses this immediate vulnerability, but teams should review their deployment architecture to ensure defense in depth. API gateways, network segmentation, and principle of least privilege all help limit damage if similar vulnerabilities emerge in the future.
Related Articles
Langflow AI Platform RCE Flaw Exploited — 7,000 Instances Exposed
CVE-2026-5027 allows unauthenticated attackers to write arbitrary files on Langflow servers. Patch to version 1.10.0 immediately—attackers are already exploiting exposed instances.
Jun 11, 2026AutoJack Turns AI Browsing Agents Into Zero-Click RCE Vectors
Microsoft discloses AutoJack, an exploit chain that hijacks AutoGen Studio AI agents via malicious webpages. A single URL visit triggers arbitrary code execution on the host machine.
Jun 22, 2026LangGraph Vulnerability Chain Enables Full Server Takeover
Check Point researchers chained SQL injection and unsafe deserialization flaws to achieve RCE on AI workflow platforms. Patch langgraph to 1.0.10+ immediately.
Jun 13, 2026LiteLLM Flaw Chains to Unauthenticated RCE—CISA Adds to KEV
CVE-2026-42271 in LiteLLM chains with Starlette bypass for unauthenticated remote code execution. CISA adds to KEV catalog after active exploitation confirmed.
Jun 9, 2026