CVE-2026-7466
Received Received - Intake
Arbitrary Code Execution in AgentFlow via Local Python Pipeline Files

Publication date: 2026-04-29

Last updated on: 2026-04-29

Assigner: VulnCheck

Description
AgentFlow contains an arbitrary code execution vulnerability that allows attackers to execute local Python pipeline files by supplying a user-controlled pipeline_path parameter to the POST /api/runs and POST /api/runs/validate endpoints. Attackers can induce requests to the local AgentFlow API to load and execute existing Python pipeline files on disk, resulting in code execution in the context of the user running AgentFlow.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-30
EPSS Evaluated
2026-06-14
NVD
CVE-2026-7466
EUVD
EUVD-2026-26279
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
berabuddies agentflow to 1667fa3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-7466 is an arbitrary code execution vulnerability in AgentFlow. It allows attackers to execute local Python pipeline files by supplying a user-controlled pipeline_path parameter to the POST /api/runs and POST /api/runs/validate endpoints. This means an attacker can send specially crafted requests to the local AgentFlow API to load and run existing Python files on the system, executing code with the same privileges as the user running AgentFlow.

A security update has been made to mitigate this risk by disabling the pipeline_path parameter by default and restricting the API to bind only to localhost (127.0.0.1). To enable pipeline_path usage, an explicit environment variable must be set, ensuring this feature is only used in trusted environments.

Executive Summary

AgentFlow contains an arbitrary code execution vulnerability that allows attackers to execute local Python pipeline files by supplying a user-controlled pipeline_path parameter to specific API endpoints.

Specifically, attackers can send requests to the POST /api/runs and POST /api/runs/validate endpoints with a crafted pipeline_path parameter, causing the system to load and execute existing Python pipeline files on disk.

This results in code execution within the context of the user running AgentFlow, potentially allowing attackers to run arbitrary code on the affected system.

Impact Analysis

This vulnerability can lead to arbitrary code execution on the system running AgentFlow.

An attacker exploiting this flaw could execute malicious Python code with the same privileges as the AgentFlow user, potentially leading to unauthorized access, data manipulation, system compromise, or further attacks within the environment.

Compliance Impact

The vulnerability allows arbitrary code execution in the context of the user running AgentFlow by exploiting the pipeline_path parameter. This could lead to unauthorized access, data manipulation, or data breaches.

Such unauthorized code execution and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.

Mitigations such as disabling the pipeline_path parameter by default and requiring explicit opt-in for its use help reduce the risk, but if the vulnerability is exploited, it could result in violations of these regulatory requirements.

Detection Guidance

Detection involves monitoring for unauthorized or suspicious POST requests to the local AgentFlow API endpoints /api/runs and /api/runs/validate that include the pipeline_path parameter.

Since the API binds to 127.0.0.1 by default, you can inspect local network traffic or logs for such requests.

Commands to detect such activity might include:

  • Using tcpdump or Wireshark to capture local traffic on loopback interface filtering for POST requests to /api/runs or /api/runs/validate.
  • Example tcpdump command: tcpdump -i lo -A 'tcp port 80 or tcp port 443' | grep -E 'POST /api/runs|POST /api/runs/validate'
  • Checking AgentFlow server logs for requests containing the pipeline_path parameter.
  • Using curl or similar tools to test if the vulnerable endpoints accept pipeline_path parameters without restrictions (only recommended in a controlled environment).
Mitigation Strategies

Immediate mitigation steps include applying the security hardening update that disables the pipeline_path parameter by default on the /api/runs and /api/runs/validate endpoints.

Ensure your AgentFlow version includes the patch from commit 1667fa3 or later.

By default, the web API binds only to 127.0.0.1, restricting access to local requests; verify this configuration to prevent remote exploitation.

Do not enable filesystem path loading unless in a secure, trusted environment by explicitly setting the environment variable AGENTFLOW_API_ALLOW_PIPELINE_PATH=1 when running agentflow serve.

Implement request validation to ensure only proper JSON content-type headers are accepted and reject invalid payloads.

Impact Analysis

This vulnerability can lead to arbitrary code execution on the system running AgentFlow. An attacker exploiting this flaw can execute Python code with the same permissions as the AgentFlow user, potentially leading to unauthorized access, data manipulation, system compromise, or further attacks within the environment.

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized or suspicious POST requests to the local AgentFlow API endpoints /api/runs and /api/runs/validate that include the pipeline_path parameter.

Since the vulnerable API accepts JSON requests with a user-controlled pipeline_path parameter, you can inspect network traffic or logs for such requests targeting these endpoints.

  • Use network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests to localhost on the AgentFlow port (default binding is 127.0.0.1).
  • Example tcpdump command: tcpdump -i lo -A 'tcp port <AgentFlow_port> and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'POST /api/runs'
  • Check application logs for POST requests containing the pipeline_path parameter.
  • Use curl or similar tools to test if the API accepts pipeline_path parameters, e.g.: curl -X POST -H 'Content-Type: application/json' -d '{"pipeline_path":"/path/to/file.py"}' http://127.0.0.1:<AgentFlow_port>/api/runs
Mitigation Strategies

To mitigate this vulnerability immediately, ensure that your AgentFlow installation is updated to a version including the security hardening patch (commit 1667fa3 or later).

By default, the patched AgentFlow web API binds only to 127.0.0.1 and disables the pipeline_path parameter on the /api/runs and /api/runs/validate endpoints, preventing arbitrary code execution.

Avoid enabling the AGENTFLOW_API_ALLOW_PIPELINE_PATH environment variable unless you fully trust the environment and workflows, as this opt-in allows filesystem path loading.

  • Update AgentFlow to the latest version containing the patch.
  • Verify that the API is bound to localhost (127.0.0.1) only.
  • Ensure that the pipeline_path parameter is disabled by default and not accepted in API requests.
  • Implement network controls to restrict access to the AgentFlow API endpoints.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7466. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart