Remote Code Execution Vulnerability in IBM Langflow OSS
CVE-2026-8481
9.9CRITICAL
What is CVE-2026-8481?
IBM Langflow OSS versions 1.0.0 through 1.10.0 contain a significant vulnerability within the code validation API endpoint. The endpoint allows authenticated users to send user-supplied Python code which is executed directly through Python's exec() function, without any input validation or sandboxing measures. This oversight enables a malicious actor to execute arbitrary system commands with full privileges of the Langflow server process, potentially leading to severe system compromise.
Affected Version(s)
Langflow OSS 1.0.0 <= 1.10.0