CVE-2026-0771
PythonFunction Code Injection in Langflow Enables Remote Code Execution
Publication date: 2026-01-23
Last updated on: 2026-02-18
Assigner: Zero Day Initiative
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langflow | langflow | 1.4.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-0771 is a remote code execution vulnerability in Langflow that arises from improper handling of Python function components. It allows remote attackers to inject and execute arbitrary Python code within workflows, potentially running code with the application's privileges. The exploitability and attack methods depend on how the product is configured. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary code remotely on affected Langflow installations, which can lead to full compromise of the application. This includes unauthorized access, modification, or deletion of data, disruption of service, and potential further attacks within the environment. [1]