PT-2026-60865 · Ibm · Langflow Oss

·

CVE-2026-8481

·

Published

2026-07-17

·

Updated

2026-07-18

CVSS v3.1

9.9

Critical

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions IBM Langflow OSS versions 1.0.0 through 1.10.0
Description An issue exists in the code validation API endpoint that allows authenticated users to execute arbitrary system commands with the full privileges of the server process. The endpoint 'POST /api/v1/validate/code' accepts user-supplied Python code and executes it using the exec() function without sandboxing, input validation, or privilege restrictions.
Recommendations Update IBM Langflow OSS to a version later than 1.10.0. As a temporary mitigation, restrict access to the 'POST /api/v1/validate/code' endpoint.

Fix

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-8481

Affected Products

Langflow Oss