PT-2026-60865 · Ibm · Langflow Oss
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
IBM Langflow OSS versions 1.0.0 through 1.10.0
Description
An issue exists in the code validation API endpoint that allows authenticated users to execute arbitrary system commands with the full privileges of the server process. The endpoint 'POST /api/v1/validate/code' accepts user-supplied Python code and executes it using the
exec() function without sandboxing, input validation, or privilege restrictions.Recommendations
Update IBM Langflow OSS to a version later than 1.10.0.
As a temporary mitigation, restrict access to the 'POST /api/v1/validate/code' endpoint.
Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Langflow Oss