Description
AgentFlow contains an arbitrary code execution vulnerability that allows attackers to execute local Python pipeline files by supplying a user-controlled pipeline_path parameter to the POST /api/runs and POST /api/runs/validate endpoints. Attackers can induce requests to the local AgentFlow API to load and execute existing Python pipeline files on disk, resulting in code execution in the context of the user running AgentFlow.
Published: 2026-04-29
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AgentFlow allows an attacker to execute arbitrary Python code by controlling the pipeline_path value sent to the POST /api/runs and POST /api/runs/validate endpoints. The supplied path causes AgentFlow to load and run a Python file from disk, thereby executing code in the context of the AgentFlow service account. This can lead to full compromise of the host system if the service runs with elevated privileges. The weakness is a classic code injection flaw (CWE‑94).

Affected Systems

The affected product is AgentFlow from berabuddies. No specific version, build, or release information was provided, so any installation that exposes the /api/runs endpoints and accepts user‑controlled pipeline_path values is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity, and although EPSS is not available, the lack of enterprise mitigations such as restriction of API access suggests a non‑negligible exploitation probability. The vulnerability is not listed in CISA KEV, but an attacker could exploit it if the AgentFlow API is reachable from an attacker’s network or from local users. The typical attack path would involve sending a crafted request to the API with a maliciously chosen pipeline_path value pointing to a locally stored Python file. If such a file can be written on the host, the attacker can execute any code within the AgentFlow user’s privileges.

Generated by OpenCVE AI on April 29, 2026 at 21:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security fix committed in the pull request at https://github.com/berabuddies/agentflow/pull/18, which removes or sanitizes the pipeline_path processing logic.
  • If the patch cannot be applied immediately, restrict network exposure of the AgentFlow API or disable the POST /api/runs and POST /api/runs/validate endpoints so that no external or local requests can supply a pipeline_path.
  • When operating in an environment where the API must remain exposed, ensure that only trusted users can write to the directories that may contain Python pipeline files, and enforce file‑system permissions so that the AgentFlow service user cannot read arbitrary user‑supplied files.

Generated by OpenCVE AI on April 29, 2026 at 21:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description AgentFlow contains an arbitrary code execution vulnerability that allows attackers to execute local Python pipeline files by supplying a user-controlled pipeline_path parameter to the POST /api/runs and POST /api/runs/validate endpoints. Attackers can induce requests to the local AgentFlow API to load and execute existing Python pipeline files on disk, resulting in code execution in the context of the user running AgentFlow.
Title AgentFlow Arbitrary Python Pipeline Execution via pipeline_path
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-29T18:44:07.292Z

Reserved: 2026-04-29T18:30:53.906Z

Link: CVE-2026-7466

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-29T19:16:27.013

Modified: 2026-04-29T19:16:27.013

Link: CVE-2026-7466

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:15:16Z

Weaknesses