CVE-2026-9135
Received Received - Intake

Code Injection in IBM Langflow OSS

Vulnerability report for CVE-2026-9135, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: IBM Corporation

Description

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow versions up to 1.9.2 (commit 94981c443d4918517b9e8163d70fc598dc33a32d) contain a code injection vulnerability in the Policies component's ToolGuard integration that bypasses the allow_custom_components=false security control. The vulnerability exists because the validation mechanism only checks the main component source code in node_template["code"]["value"] but fails to validate dynamic CodeInput fields that store generated ToolGuard Python files. Attackers can embed malicious Python code in these unvalidated dynamic fields, which are persisted in Flow.data and later executed server-side when a guarded tool is invoked through the ToolGuard runtime. This allows authenticated users with flow creation privileges to achieve arbitrary Python code execution on the backend despite custom component restrictions. The vulnerability can be escalated through cross-tenant flow manipulation via the agentic MCP update_flow_component_field tool, which accepts attacker-controlled user_id parameters, enabling attackers to inject malicious code into victim users' flows. When combined with publicly accessible flows and specific misconfigurations (AUTO_LOGIN=true, NEW_USER_IS_ACTIVE=true), the attack can be conducted with reduced authentication requirements.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
ibm langflow From 1.0.0 (inc) to 1.10.0 (inc)
ibm langflow to 1.9.2 (inc)
ibm langflow 1.10.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is a code injection vulnerability in IBM Langflow OSS versions 1.0.0 through 1.10.0. It allows authenticated users with flow creation privileges to bypass security controls and execute arbitrary Python code on the backend. The flaw exists because dynamic CodeInput fields storing ToolGuard Python files are not validated, enabling attackers to embed malicious code in these fields.

Detection Guidance

Detecting this vulnerability requires checking Langflow versions and inspecting Flow.data for unvalidated CodeInput fields. Check installed versions with `pip show langflow` or `langflow --version`. Inspect Flow.data files for dynamic CodeInput fields containing Python code. Monitor server logs for unauthorized tool invocations or cross-tenant flow modifications via agentic MCP tools.

Impact Analysis

If exploited, this vulnerability could allow attackers to execute arbitrary code on the server hosting Langflow, potentially leading to data breaches, unauthorized access to sensitive information, or system compromise. Attackers could manipulate flows to gain control over backend operations.

Compliance Impact

This vulnerability could lead to non-compliance with GDPR and HIPAA by enabling unauthorized access to personal or health data. GDPR requires protection of personal data, while HIPAA mandates safeguards for protected health information. Exploitation could result in data breaches, triggering regulatory penalties and legal consequences.

Mitigation Strategies

Upgrade IBM Langflow to a version beyond 1.10.0 or apply the latest patch that addresses the code injection vulnerability in the Policies component. Review and restrict access to the agentic MCP update_flow_component_field tool to prevent unauthorized flow modifications. Disable dynamic CodeInput fields in ToolGuard integrations and validate all code execution paths server-side.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9135. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart