Critical Alert: High-Risk Langflow Flaw Lets Authenticated Users Run Arbitrary Code and Move Laterally Across Systems

Aegiron 11 mins0

Vulnerability Overview

CVE-2026-0772 — Disk-Cache Deserialization Remote Code Execution

  • Severity: High
  • CVSS Score: 7.5
  • Type: Unsafe deserialization leading to remote code execution
  • Requires: Authenticated access to the application or ability to write to cache

This issue exists because Langflow’s disk cache system accepts serialized data and then reconstructs objects from that data without verifying that it is safe. If an attacker can upload or manipulate a cache file with a specially crafted serialized payload, they can cause Langflow to execute arbitrary code when that cache entry is read.

CVE-2026-0771 — PythonFunction Component Code Injection Remote Code Execution

  • Severity: High
  • CVSS Score: 7.1
  • Type: Code injection via user-supplied Python function
  • Requires: Authenticated interaction with the PythonFunction component

Langflow allows users to define Python functions inside flows. The vulnerability occurs because this user-provided code is not properly isolated or sanitized. An attacker with basic access can insert malicious Python code that gets executed by the application — effectively giving them the ability to run commands, read files, or do anything the service account is permitted to do.

How These Vulnerabilities Can Be Exploited

CVE-2026-0772 — Unsafe Deserialization

  1. An attacker authenticates with valid credentials to Langflow.
  2. They upload or create a cache entry in a way that stores a crafted serialized object.
  3. When the application later reads that cache entry, the deserialization process reconstructs the object and inadvertently executes malicious code embedded in it.
  4. Because this runs as the Langflow process user, full control of that process is possible.

It is not a blind remote exploit: the attacker needs a way to store malicious cache content. In many deployments that may mean simply having a valid user account or overcoming weak access controls.

CVE-2026-0771 — PythonFunction Code Injection

  1. The attacker logs into Langflow and creates or edits a workflow that contains a PythonFunction.
  2. They insert harmful Python code — for example system commands, file reads, or network functions — within that component.
  3. When the workflow runs, the malicious code executes on the server.
  4. This allows full execution with privileges of the Langflow service.

Unlike the deserialization issue, this vulnerability exists at the interface where users define executable components. Careless isolation of user code makes it straightforward to run arbitrary instructions.

What an Attacker Can Do After Exploitation

Once either vulnerability is successfully exploited, an attacker can:

  • Run arbitrary commands on the server under the Langflow process account.
  • Read configuration files, including tokens or API keys stored in environment variables.
  • Modify or drop files, plant backdoors, or inject further malicious workflows.
  • Use harvested credentials to access internal services, cloud APIs, databases, or other resources.
  • Move laterally in the environment by reaching out to additional hosts or services.

This is not just about one server being compromised. Code execution inside an orchestration platform is extremely powerful, making this a high-priority risk.

Proof of Concept (PoC) / Exploitation Status

At the time of the vulnerability advisory:

  • There is no widely published, official public PoC script that anyone can copy/paste to exploit these issues.
  • However, the detailed descriptions make clear how to construct malicious payloads.
  • In real-world testing, security teams have successfully built proofs of concept internally using crafted serialized data and injected Python code.

For educational purposes only, exploitation follows the general patterns described above: malicious serialized objects for the cache vulnerability, and unsafe user function definitions for the PythonFunction vulnerability.

How to Detect Exploitation or Suspicious Activity

Application & Behavior Indicators

  • Unexpected serialized data being written or read from the cache directories.
  • Application errors or stack traces showing deserialization functions dealing with unexpected content.
  • Workflows containing PythonFunction components with suspicious code (e.g., system calls, file operations not expected in normal use).
  • Sudden creation of new files or scripts in the Langflow installation directories.

Log Sources to Monitor

  • Web server logs (nginx/uvicorn): unusual POST/PUT to endpoints that accept flows, functions, or cache uploads.
  • Langflow application logs: tracebacks around deserialization routines or Python code execution entries.
  • Host process logs: process spawning evidence where the Langflow service spawns unexpected child processes.
  • Audit logs: file creation/modification of scripts or scheduled jobs.

Suricata Detection Rules

Below are example rules to use with Suricata IDS/IPS to spot suspicious traffic that may indicate exploitation attempts:

1. Detect suspicious HTTP POSTs to likely upload endpoints

alert http any any -> any any (msg:"LANGFLOW Suspicious POST - Cache or PythonFunction Upload"; \
http.method; content:"POST"; http.uri; pcre:"/(cache|pythonfunction|flows)/i"; \
content:"pickle"; nocase; sid:1001001; rev:1; priority:1;)

2. Detect serialized Python pickle content in web POST bodies

alert http any any -> any any (msg:"LANGFLOW Suspicious Serialized Payload Detected"; \
content:"|80 04|"; depth:2; http client body; sid:1001002; rev:1; priority:2;)

3. Detect potentially harmful Python code patterns in request bodies

alert http any any -> any any (msg:"LANGFLOW User Python Code with OS/Shell Commands"; \
http.client_body; pcre:"(os\.system|subprocess\.Popen|exec\(|eval\()"; sid:1001003; rev:1; priority:2;)

Recommendations for Detection and Monitoring

To increase your chances of spotting exploitation:

  • Enable detailed application logging so that serialization operations and workflow definitions are logged.
  • Capture full request bodies at your web load balancer or reverse proxy, and inspect them with IDS/IPS.
  • Monitor for unexpected process creation on hosts where Langflow runs.
  • Review workflow definitions regularly to ensure no unauthorized Python code was inserted.

Mitigation & Hardening Steps

Before patching:

  • Restrict access to Langflow to trusted networks only.
  • Limit who can upload workflows or PythonFunction components.
  • Remove write access to cache directories for any untrusted accounts.
  • Use egress filtering to block unexpected network connections from the Langflow host.
  • Run the Langflow service with the least privilege necessary (container, limited OS account).

Official Patch / Upgrade Link

Upgrade Langflow to the latest patched release here:

👉 Official Langflow Releases and Patches:
https://github.com/langflow-ai/langflow/releases

Follow the project’s upgrade notes and install the minimum version that includes fixes for CVE-2026-0772 and CVE-2026-0771.

Final Takeaway

Both of these vulnerabilities let someone with valid access trick Langflow into running code that shouldn’t be there. One does it by feeding unsafe stored data to the system, and the other by slipping bad Python code into a workflow. Because the result is full control of the Langflow application process, and potentially access to sensitive data or other systems, you should patch first, then monitor and harden your deployment. Detection depends on noticing weird serialized content, unsafe Python constructs, or unusual traffic and process behavior.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.