CVE-2026-0768
Published: 23 January 2026
Summary
CVE-2026-0768 is a critical-severity Code Injection (CWE-94) vulnerability in Langflow Langflow. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 21.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
Langflow contains a remote code execution vulnerability that permits unauthenticated attackers to run arbitrary Python code on affected installations. The flaw lies in the validate endpoint, which accepts a user-supplied code parameter and passes it to a Python interpreter without sufficient validation, resulting in execution in the root context. The issue is tracked as CVE-2026-0768 with a CVSS score of 9.8 and was originally reported as ZDI-CAN-27322.
Remote attackers can exploit the weakness over the network without authentication or user interaction to achieve full code execution on the target system. Successful exploitation grants the ability to run commands, access or modify data, and potentially take complete control of the affected host.
The EPSS score for this CVE rose from lower values to a peak of 0.0973 on 2026-05-25 before receding to the current 0.0428, indicating a period of increased exploitation interest after disclosure. The primary public reference is the Zero Day Initiative advisory at https://www.zerodayinitiative.com/advisories/ZDI-26-034/.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4453
Vulnerability details
Langflow code Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the code…
more
parameter provided to the validate endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of root. . Was ZDI-CAN-27322.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: langflow
Related Threats
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of the user-supplied code parameter before it is passed to the Python interpreter, blocking the injection that leads to unauthenticated RCE.
Limits the validate endpoint process to non-root privileges so that successful code execution cannot immediately grant full system control.
Enforces access-control policy on the validate endpoint so that unauthenticated remote callers cannot reach the code-execution path at all.