Impact
The vulnerability allows an attacker to execute arbitrary Python code on the Langflow OSS server by manipulating the `tool_code` field within a public flow. This code execution grants full read and write access to secrets, flows, conversations, messages, file uploads, and saved components in the Langflow database, as well as the ability to connect to internal services and abuse cloud metadata endpoints. It also enables lateral movement to other tenants on the same instance and persistence, as the attacker can embed malicious code that runs on every subsequent build request from any user.
Affected Systems
IBM Langflow OSS versions 1.0.0 through 1.9.3 are affected. The vulnerability is present in any deployed instance of these releases, as identified by the CPE strings for 1.0.0 and 1.9.3 and recorded by the CNA. All users who can view or alter public flows are potential attack vectors.
Risk and Exploitability
With a CVSS score of 10.0, the vulnerability is classified as critical. The EPSS score is not available, so the current exploit probability is unknown, and it is not listed in CISA's KEV catalog. Based on the description, it is inferred that the attacker does not need authentication and can exploit the public flow management interface; an attacker who can submit or modify a public flow can achieve code execution and subsequent system compromise without credentials.
OpenCVE Enrichment