IBM Langflow OSS versions 1.0.0 through 1.10.0 contain a code injection flaw that allows an authenticated user to send a specially crafted request to the code validation endpoint, causing the server to execute arbitrary shell commands and read sensitive files such as credentials. The vulnerability is a classic OS command injection (CWE‑94) and can directly lead to complete system compromise if the authenticated attacker gains sufficient privileges on the host.

Affected systems are IBM Langflow OSS products running any version from 1.0.0 up to and including 1.10.0. The issue was disclosed for the OSS releases distributed via PyPI and identified by the corresponding CPE strings for versions 1.0.0 and 1.10.0.

The CVSS score of 9.9 reflects the high severity, and the lack of an EPSS score suggests that the launch data or probability of exploitation is not yet published, but that does not diminish the risk because the flaw is fully exploitable once authenticated. The vulnerability is not currently listed in the CISA KEV catalog, yet the attack vector requires authentication, meaning that attackers who gain valid credentials can launch the exploit. Given the potential for arbitrary command execution and lateral movement, the risk is considered very high for any environment that hosts the affected Langflow OSS deployment.