Back to CVE List

CVE-2026-8481

CRITICAL SEVERITY

CVSS Score & Metrics

Base Score
9.9 / 10
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Vulnerability Description

IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution vulnerability in the code validation API endpoint. The POST /api/v1/validate/code endpoint accepts user-supplied Python code and executes it directly using Python's built-in exec() function without sandboxing, input validation, or privilege restrictions, enabling any authenticated user to execute arbitrary system commands with the full privileges of the Langflow server process.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-94
Source
NVD

External References

Discussion (0)

Add Comment

No comments yet. Be the first!