Description
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, the "Shareable Playground" (or "Public Flows" in code) contains a critical RCE vulnerability. Shareable Playground feature works by enabling the execution of workflows by unauthenticated users, by accessing a link. Specifically, it enables the route /api/v1/build_public_tmp to execute any public flow, given a public flow ID. When the route executes the flow, it allows for providing arbitrary custom Python code as the nodes code, inside the JSON payload. The vulnerable field is data.nodes[X].data.node.template.code.value. This vulnerability is fixed in 1.9.2.
Published: 2026-06-23
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Langflow is a tool for building and deploying AI‑powered agents and workflows. Prior to version 1.9.2 its Shareable Playground feature permits unauthenticated users to trigger execution of public flows via the /api/v1/build_public_tmp endpoint. The flaw lies in the ability to supply arbitrary Python code in the data.nodes[X].data.node.template.code.value field of the JSON payload, allowing an attacker to run malicious code on the host and achieve full system compromise, a classic example of CWE‑94. This critical RCE vulnerability is fixed in version 1.9.2.

Affected Systems

The vulnerability affects any deployment of langflow‑ai Langflow that is at a version lower than 1.9.2. Any instance exposing the Shareable Playground or Public Flows functionality without authentication is susceptible, regardless of hosting environment.

Risk and Exploitability

The CVSS score of 9.6 indicates critical risk, while the EPSS score is not available, leaving the exact exploitation likelihood unclear. Since the flaw is exploitable without authentication and the endpoint is publicly reachable, attackers can craft a malicious request and trigger code execution. The vulnerability is not yet listed in CISA’s KEV catalog, but the high severity score warrants immediate attention.

Generated by OpenCVE AI on June 24, 2026 at 11:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Langflow 1.9.2 or later to remove the flaw
  • Disable or protect the Shareable Playground – require authentication before allowing workflow execution
  • If immediate patching is not possible, remove public flow functionality or block the /api/v1/build_public_tmp endpoint entirely

Generated by OpenCVE AI on June 24, 2026 at 11:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v5ff-9q35-q26f Langflow: Unauthenticated RCE in Shareable Playgrounds
History

Wed, 24 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Langflow
Langflow langflow
Vendors & Products Langflow
Langflow langflow

Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, the "Shareable Playground" (or "Public Flows" in code) contains a critical RCE vulnerability. Shareable Playground feature works by enabling the execution of workflows by unauthenticated users, by accessing a link. Specifically, it enables the route /api/v1/build_public_tmp to execute any public flow, given a public flow ID. When the route executes the flow, it allows for providing arbitrary custom Python code as the nodes code, inside the JSON payload. The vulnerable field is data.nodes[X].data.node.template.code.value. This vulnerability is fixed in 1.9.2.
Title Langflow: Unauthenticated RCE in Shareable Playgrounds
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}


Subscriptions

Langflow Langflow
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T03:56:21.994Z

Reserved: 2026-05-21T16:18:10.619Z

Link: CVE-2026-48519

cve-icon Vulnrichment

Updated: 2026-06-23T17:02:15.648Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:00:06Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')