Remote Code Execution Vulnerability in Langflow by Langflow AI
CVE-2026-48519

9.6CRITICAL

Key Information:

Vendor: Langflow-ai
Status: Langflow
Vendor: CVE Published:; 23 June 2026

🔔 Create Langflow-ai Vulnerability Alert

What is CVE-2026-48519?

Langflow, an innovative platform for building AI-powered agents, experienced a critical vulnerability prior to version 1.9.2 that allowed for remote code execution via its 'Shareable Playground' feature. This flaw enabled unauthorized users to execute arbitrary Python code by exploiting a public flow ID without authentication. The vulnerable API endpoint, /api/v1/build_public_tmp, facilitated the injection of malicious code through a JSON payload. Users are strongly advised to upgrade to version 1.9.2 or later to mitigate this risk.

Affected Version(s)

langflow < 1.9.2

References

https://github.com/langflow-ai/langflow/security/advisori...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
May 21, 2026

CVE-2026-48519 Data

JSON