CVE-2026-8481

Severity CVSS v4.0:
Pending analysis
Type:
CWE-94 Code Injection
Publication date:
17/07/2026
Last modified:
17/07/2026

Description

IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution vulnerability in the code validation API endpoint. The POST /api/v1/validate/code endpoint accepts user-supplied Python code and executes it directly using Python's built-in exec() function without sandboxing, input validation, or privilege restrictions, enabling any authenticated user to execute arbitrary system commands with the full privileges of the Langflow server process.

References to Advisories, Solutions, and Tools