Impact
Langflow is a tool for building and deploying AI‑powered agents and workflows. Prior to version 1.9.2 its Shareable Playground feature permits unauthenticated users to trigger execution of public flows via the /api/v1/build_public_tmp endpoint. The flaw lies in the ability to supply arbitrary Python code in the data.nodes[X].data.node.template.code.value field of the JSON payload, allowing an attacker to run malicious code on the host and achieve full system compromise, a classic example of CWE‑94. This critical RCE vulnerability is fixed in version 1.9.2.
Affected Systems
The vulnerability affects any deployment of langflow‑ai Langflow that is at a version lower than 1.9.2. Any instance exposing the Shareable Playground or Public Flows functionality without authentication is susceptible, regardless of hosting environment.
Risk and Exploitability
The CVSS score of 9.6 indicates critical risk, while the EPSS score is not available, leaving the exact exploitation likelihood unclear. Since the flaw is exploitable without authentication and the endpoint is publicly reachable, attackers can craft a malicious request and trigger code execution. The vulnerability is not yet listed in CISA’s KEV catalog, but the high severity score warrants immediate attention.
OpenCVE Enrichment
Github GHSA