Remote Code Execution in IBM Langflow OSS Affects Multiple Versions
CVE-2026-13448

8.1HIGH

Key Information:

Vendor

IBM

Vendor
CVE Published:
17 July 2026

What is CVE-2026-13448?

IBM Langflow OSS versions 1.0.0 to 1.10.1 contain a remote code execution vulnerability in the public flow build API endpoint. This flaw allows unauthorized actors to exploit the incomplete denylist in the validate_public_flow_no_code_execution() function, leading to potential execution of malicious components such as OpenDsStarAgent, CodeActAgentSmolagents, and CSVAgent. Users are advised to apply patches and updates as detailed in the vendor advisory to secure their systems against this vulnerability.

Affected Version(s)

Langflow OSS 1.0.0 <= 1.10.1

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.