CVE-2026-0770
Remote Code Execution in Langflow via exec_globals Parameter
Publication date: 2026-01-23
Last updated on: 2026-02-18
Assigner: Zero Day Initiative
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langflow | langflow | 1.4.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Langflow involves improper handling of the exec_globals parameter at the validate endpoint, where functionality from an untrusted control sphere is included. This flaw allows remote attackers to execute arbitrary code on affected systems without needing authentication. [1]
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can execute arbitrary code remotely with root-level privileges on affected Langflow installations. This can lead to complete system compromise, including unauthorized access, data theft, or disruption of services. [1]