A critical remote code execution vulnerability in IBM Langflow OSS lets any authenticated user run arbitrary commands with the full privileges of the Langflow server process.
What Is It
CVE-2026-8481 is a critical (CVSS 3.1 base score 9.9) code injection flaw in IBM Langflow OSS, categorized as CWE-94. The vulnerability lives in the code validation API endpoint. The POST /api/v1/validate/code endpoint accepts user-supplied Python code and executes it directly using Python's built-in exec() function without sandboxing, input validation, or privilege restrictions. As a result, any authenticated user can execute arbitrary system commands with the full privileges of the Langflow server process.
Why It Matters
The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) reflects a network-reachable, low-complexity attack that requires only low-privilege authentication and no user interaction. The scope is marked as Changed, and the confidentiality, integrity, and availability impacts are all High; meaning a successful attack can compromise the underlying host beyond the vulnerable component. CISA's SSVC assessment records technical impact as total. Per the supplied data, exploitation is currently rated "none" and the flaw is not listed in the CISA KEV catalog, so there is no confirmed active exploitation at this time.
What's Vulnerable
IBM Langflow OSS versions 1.0.0 through 1.10.0 are affected (inclusive, per semver). The weakness is exploitable by authenticated users who can reach the /api/v1/validate/code endpoint.
Patch Status
IBM has published a security advisory for this vulnerability. Administrators should consult the IBM support page (referenced below) for remediation guidance and upgrade information. Given the network reach and total technical impact, restricting access to the validation endpoint and upgrading affected Langflow OSS deployments should be prioritized.
Sources
- IBM Security Bulletin (IBM PSIRT), https://www.ibm.com/support/pages/node/7278923
- NVD, CVE-2026-8481, https://nvd.nist.gov/vuln/detail/CVE-2026-8481