CVE-2026-14499
Received Received - Intake

IBM Langflow Arbitrary Command Execution Vulnerability

Vulnerability report for CVE-2026-14499, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: IBM Corporation

Description

IBM Langflow OSS 1.0.0 through 1.10.1 Langflow could allow an authenticated user to execute arbitrary commands with elevated privileges on the system due to improper validation of user supplied input in the Python Interpreter component.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ibm langflow to 1.10.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in IBM Langflow OSS 1.0.0 through 1.10.1 allows an authenticated user to execute arbitrary commands with elevated privileges due to improper validation of user input in the Python Interpreter component.

Detection Guidance

Check Langflow version with: pip show langflow. If installed version is between 1.0.0 and 1.10.1, the system is vulnerable. Inspect API endpoints for unauthenticated access or improper authorization. Monitor for unusual command execution patterns or unauthorized file access in logs.

Impact Analysis

An attacker could exploit this to gain control over the system, execute malicious commands, access sensitive data, disrupt services, or escalate privileges. The high CVSS score of 8.8 indicates significant risk.

Compliance Impact

This vulnerability could lead to unauthorized access, data breaches, or privilege escalation, potentially violating GDPR (data protection) and HIPAA (health data security) requirements. Compliance may be compromised due to exposure of sensitive information or system control.

Mitigation Strategies

Upgrade Langflow to version 1.10.2 or later immediately. Ensure all API endpoints require authentication and proper authorization. Remove any hardcoded default superuser credentials. Restrict access to MCP server configuration and file management endpoints.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14499. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart