CVE-2026-0770
Published: 23 January 2026
Summary
CVE-2026-0770 is a critical-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Langflow Langflow. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-0770 is a remote code execution vulnerability in Langflow stemming from inclusion of functionality from an untrusted control sphere. The flaw resides in the validate endpoint's handling of the exec_globals parameter and permits unauthenticated attackers to supply an external resource that results in arbitrary code execution with root privileges. The issue carries a CVSS 3.0 base score of 9.8 and is tracked under CWE-829; it was originally reported as ZDI-CAN-27325.
An unauthenticated remote attacker can send a crafted request to the validate endpoint that references attacker-controlled content via the exec_globals parameter. Successful exploitation grants code execution in the context of the root user on the affected Langflow installation without requiring any user interaction or prior authentication.
The sole reference points to the Zero Day Initiative advisory ZDI-26-036, which documents the vulnerability and is the authoritative source for any vendor-supplied fixes or workarounds.
EPSS for the CVE reached a peak of 0.1465 after disclosure before settling at the current value of 0.1201, indicating a clear rise in predicted exploitation interest following public release.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4466
Vulnerability details
Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within…
more
the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: langflow
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE on public-facing Langflow web app via crafted validate endpoint requests enables T1190; arbitrary Python code execution via exec_globals maps to T1059.006.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces authentication and authorization on the validate endpoint so that unauthenticated attackers cannot supply the exec_globals parameter.
Requires validation of the exec_globals input to reject references to resources from untrusted control spheres before code execution occurs.
Restricts the system to only the functionality required, disabling or sandboxing the exec_globals capability that enables the RCE.