CVE-2026-7466
Arbitrary Code Execution in AgentFlow via Local Python Pipeline Files
Publication date: 2026-04-29
Last updated on: 2026-04-29
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| berabuddies | agentflow | to 1667fa3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
AgentFlow contains an arbitrary code execution vulnerability that allows attackers to execute local Python pipeline files by supplying a user-controlled pipeline_path parameter to specific API endpoints.
Specifically, attackers can send requests to the POST /api/runs and POST /api/runs/validate endpoints with a crafted pipeline_path parameter, causing the system to load and execute existing Python pipeline files on disk.
This results in code execution within the context of the user running AgentFlow, potentially allowing attackers to run arbitrary code on the affected system.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution on the system running AgentFlow.
An attacker exploiting this flaw could execute malicious Python code with the same privileges as the AgentFlow user, potentially leading to unauthorized access, data manipulation, system compromise, or further attacks within the environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows arbitrary code execution in the context of the user running AgentFlow by exploiting the pipeline_path parameter. This could lead to unauthorized access, data manipulation, or data breaches.
Such unauthorized code execution and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.
Mitigations such as disabling the pipeline_path parameter by default and requiring explicit opt-in for its use help reduce the risk, but if the vulnerability is exploited, it could result in violations of these regulatory requirements.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for unauthorized or suspicious POST requests to the local AgentFlow API endpoints /api/runs and /api/runs/validate that include the pipeline_path parameter.
Since the API binds to 127.0.0.1 by default, you can inspect local network traffic or logs for such requests.
Commands to detect such activity might include:
- Using tcpdump or Wireshark to capture local traffic on loopback interface filtering for POST requests to /api/runs or /api/runs/validate.
- Example tcpdump command: tcpdump -i lo -A 'tcp port 80 or tcp port 443' | grep -E 'POST /api/runs|POST /api/runs/validate'
- Checking AgentFlow server logs for requests containing the pipeline_path parameter.
- Using curl or similar tools to test if the vulnerable endpoints accept pipeline_path parameters without restrictions (only recommended in a controlled environment).
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the security hardening update that disables the pipeline_path parameter by default on the /api/runs and /api/runs/validate endpoints.
Ensure your AgentFlow version includes the patch from commit 1667fa3 or later.
By default, the web API binds only to 127.0.0.1, restricting access to local requests; verify this configuration to prevent remote exploitation.
Do not enable filesystem path loading unless in a secure, trusted environment by explicitly setting the environment variable AGENTFLOW_API_ALLOW_PIPELINE_PATH=1 when running agentflow serve.
Implement request validation to ensure only proper JSON content-type headers are accepted and reject invalid payloads.
Can you explain this vulnerability to me?
CVE-2026-7466 is an arbitrary code execution vulnerability in AgentFlow. It allows attackers to execute local Python pipeline files by supplying a user-controlled pipeline_path parameter to the POST /api/runs and POST /api/runs/validate endpoints. This means an attacker can send specially crafted requests to the local AgentFlow API to load and run existing Python files on the system, executing code with the same privileges as the user running AgentFlow.
A security update has been made to mitigate this risk by disabling the pipeline_path parameter by default and restricting the API to bind only to localhost (127.0.0.1). To enable pipeline_path usage, an explicit environment variable must be set, ensuring this feature is only used in trusted environments.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution on the system running AgentFlow. An attacker exploiting this flaw can execute Python code with the same permissions as the AgentFlow user, potentially leading to unauthorized access, data manipulation, system compromise, or further attacks within the environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unauthorized or suspicious POST requests to the local AgentFlow API endpoints /api/runs and /api/runs/validate that include the pipeline_path parameter.
Since the vulnerable API accepts JSON requests with a user-controlled pipeline_path parameter, you can inspect network traffic or logs for such requests targeting these endpoints.
- Use network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests to localhost on the AgentFlow port (default binding is 127.0.0.1).
- Example tcpdump command: tcpdump -i lo -A 'tcp port <AgentFlow_port> and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'POST /api/runs'
- Check application logs for POST requests containing the pipeline_path parameter.
- Use curl or similar tools to test if the API accepts pipeline_path parameters, e.g.: curl -X POST -H 'Content-Type: application/json' -d '{"pipeline_path":"/path/to/file.py"}' http://127.0.0.1:<AgentFlow_port>/api/runs
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, ensure that your AgentFlow installation is updated to a version including the security hardening patch (commit 1667fa3 or later).
By default, the patched AgentFlow web API binds only to 127.0.0.1 and disables the pipeline_path parameter on the /api/runs and /api/runs/validate endpoints, preventing arbitrary code execution.
Avoid enabling the AGENTFLOW_API_ALLOW_PIPELINE_PATH environment variable unless you fully trust the environment and workflows, as this opt-in allows filesystem path loading.
- Update AgentFlow to the latest version containing the patch.
- Verify that the API is bound to localhost (127.0.0.1) only.
- Ensure that the pipeline_path parameter is disabled by default and not accepted in API requests.
- Implement network controls to restrict access to the AgentFlow API endpoints.