Langflow OSS Vulnerability Enables Code Execution

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in IBM Langflow OSS, specifically in versions 1.0.0 through 1.9.3, which can lead to unauthenticated remote code execution and authorization bypass. These vulnerabilities pose a significant business risk as they can be exploited to gain unauthorized access to protected functions and data, potentially resulting in data breaches and other malicious activities.[emaillocker id="1283"]

• CVE-2026-10561 with a CVSS score of 10.0 – This vulnerability is a Langflow RCE flaw that can be exploited by attackers to execute arbitrary code on the system, allowing them to run OS commands and steal provider API keys. The vulnerability is caused by a missing trust boundary in the Python Interpreter component.

• CVE-2026-7664 with a CVSS score of 9.8 – This vulnerability is an authorization flaw that can be exploited by unauthenticated users to reach protected project resources and run flows, as the handler trusts the caller and skips any credential check.

The overall risk and urgency of these vulnerabilities are high, as they can be exploited to gain unauthorized access to sensitive data and systems. If exploited, these vulnerabilities can have significant business consequences, including data breaches and disruption of critical business operations, making it essential to prioritize addressing these vulnerabilities to prevent potential attacks.

RECOMMENDATION:

We recommend you to update Langflow OSS to version 1.9.4.

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/langflow-rce-vulnerability/