Remote Code Execution in IBM Langflow OSS Affects Multiple Versions
CVE-2026-13448
8.1HIGH
What is CVE-2026-13448?
IBM Langflow OSS versions 1.0.0 to 1.10.1 contain a remote code execution vulnerability in the public flow build API endpoint. This flaw allows unauthorized actors to exploit the incomplete denylist in the validate_public_flow_no_code_execution() function, leading to potential execution of malicious components such as OpenDsStarAgent, CodeActAgentSmolagents, and CSVAgent. Users are advised to apply patches and updates as detailed in the vendor advisory to secure their systems against this vulnerability.
Affected Version(s)
Langflow OSS 1.0.0 <= 1.10.1