cbcvebase.
CVE-2026-0770
published 2026-01-23

CVE-2026-0770: Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers…

PriorityP191critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
10.37%
95.2th percentile
Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325.

Affected

2 ranges
VendorProductVersion rangeFixed in
langflowlangflow
langflowlangflow0 – 1.7.3

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/validate/code
url/api/v1/auto_login
url/api/v1/login
port7860
commandPOST /api/v1/validate/code HTTP/1.1 Host: {{Hostname}} Content-Type: application/json Authorization: Bearer {{token}} {"code":"\ndef exploit(\n _=( lambda r: (_ for _ in ()).throw(Exception(f\"OUTPUT:\\n{r.stdout}{r.stderr}\")) )(\n __import__('subprocess').run('cat /etc/passwd', shell=True, capture_output=True, text=True)\n )\n):\n pass\n"}
versionLangflow 1.3.0
yara
id: CVE-2026-0770
info:
  name: Langflow < 1.3.0 - Remote Code Execution via validate_code() exec()
  author: affix
  severity: critical
  tags: cve,cve2026,langflow,rce,authenticated,vuln,vkev
  • Monitor for POST requests to /api/v1/validate/code containing '__import__' or 'subprocess' in the JSON body, which is the exploit payload pattern used to achieve RCE via the exec_globals parameter.
  • Detect unauthenticated exploitation attempts by monitoring GET requests to /api/v1/auto_login followed immediately by POST requests to /api/v1/validate/code — this two-step sequence is the unauthenticated RCE attack chain.
  • Alert on Authorization headers using the misspelled bearer scheme 'Bearare' (not 'Bearer'), which is a fingerprint of the known exploit tool for CVE-2026-0770.
  • The Nuclei PoC template matches a successful exploit by checking the HTTP response body for the regex 'root:.*:0:0:' (contents of /etc/passwd), indicating confirmed RCE as root.
  • Authentication is not required to exploit this vulnerability; Langflow enables unauthenticated auto-login by default, so a single unauthenticated request is sufficient to obtain a valid session token before proceeding with exploitation.
  • The vulnerable endpoint is /api/v1/validate/code; the flaw exists within the handling of the exec_globals parameter provided to the validate endpoint, allowing inclusion of functionality from an untrusted control sphere.
  • ·The exploit works without authentication only when Langflow's auto-login feature is enabled (the default configuration). If auto-login is disabled, credentials are required, reducing the attack surface.
  • ·Successful exploitation results in code execution in the context of root, meaning the Langflow process itself runs as root — a significant privilege escalation risk that amplifies impact.
  • ·The exploit script defaults to the 'id' command if no command is specified, and the PoC template uses 'cat /etc/passwd' — defenders should watch for these specific commands in process trees spawned by Langflow.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.