Cyber Resilience

CVE-2026-0770

Critical

Published: 23 January 2026

Published
23 January 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v3 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1037 95.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-0770 is a critical-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Langflow Langflow. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-0770 is a remote code execution vulnerability in Langflow stemming from inclusion of functionality from an untrusted control sphere. The flaw resides in the validate endpoint's handling of the exec_globals parameter and permits unauthenticated attackers to supply an external resource that results in arbitrary code execution with root privileges. The issue carries a CVSS 3.0 base score of 9.8 and is tracked under CWE-829; it was originally reported as ZDI-CAN-27325.

An unauthenticated remote attacker can send a crafted request to the validate endpoint that references attacker-controlled content via the exec_globals parameter. Successful exploitation grants code execution in the context of the root user on the affected Langflow installation without requiring any user interaction or prior authentication.

The sole reference points to the Zero Day Initiative advisory ZDI-26-036, which documents the vulnerability and is the authoritative source for any vendor-supplied fixes or workarounds.

EPSS for the CVE reached a peak of 0.1465 after disclosure before settling at the current value of 0.1201, indicating a clear rise in predicted exploitation interest following public release.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within…

more

the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: langflow

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Direct unauthenticated RCE on public-facing Langflow web app via crafted validate endpoint requests enables T1190; arbitrary Python code execution via exec_globals maps to T1059.006.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33017Same product: Langflow Langflow
CVE-2026-33873Same product: Langflow Langflow
CVE-2026-27966Same product: Langflow Langflow
CVE-2026-21445Same product: Langflow Langflow
CVE-2026-7524Same product: Langflow Langflow
CVE-2026-33309Same product: Langflow Langflow
CVE-2026-33484Same product: Langflow Langflow
CVE-2026-42048Same product: Langflow Langflow
CVE-2026-33497Same product: Langflow Langflow
CVE-2025-34291Same product: Langflow Langflow

Affected Assets

langflow
langflow
1.4.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces authentication and authorization on the validate endpoint so that unauthenticated attackers cannot supply the exec_globals parameter.

prevent

Requires validation of the exec_globals input to reject references to resources from untrusted control spheres before code execution occurs.

prevent

Restricts the system to only the functionality required, disabling or sandboxing the exec_globals capability that enables the RCE.

References