CVE-2026-0769
Remote Code Execution via Eval Injection in Langflow Component
Publication date: 2026-01-23
Last updated on: 2026-02-18
Assigner: Zero Day Initiative
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langflow | langflow | 1.3.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-95 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a critical remote code execution flaw in Langflow's eval_custom_component_code function. It occurs because the function executes user-supplied strings as Python code without proper validation. This allows remote attackers to run arbitrary code on affected systems without needing to authenticate. [1]
How can this vulnerability impact me? :
An attacker can exploit this vulnerability to execute arbitrary code remotely on your Langflow installation. This can lead to full compromise of the affected system, including unauthorized access, data theft, system manipulation, or disruption of services. [1]