SYS::ONLINE
Wasteland.
Briefs1238
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-9135 2026-07-17

CVE-2026-9135: Critical Code Injection in IBM Langflow OSS ToolGuard

"IBM Langflow OSS contains a critical (CVSS 9.9) code injection flaw that lets authenticated users bypass custom-component restrictions and run arbitrary Python on the server."

IBM Langflow OSS contains a critical (CVSS 9.9) code injection flaw that lets authenticated users bypass custom-component restrictions and run arbitrary Python on the server.

What Is It

CVE-2026-9135 is a code injection vulnerability (CWE-94) in the Policies component's ToolGuard integration in IBM Langflow OSS. The allow_custom_components=false security control validates only the main component source code in node_template["code"]["value"], but fails to validate dynamic CodeInput fields that store generated ToolGuard Python files. Attackers can embed malicious Python in these unvalidated fields, which are persisted in Flow.data and later executed server-side when a guarded tool is invoked through the ToolGuard runtime.

Why It Matters

The flaw allows authenticated users with flow-creation privileges to achieve arbitrary Python code execution on the backend despite custom component restrictions. It carries a CVSS 3.1 base score of 9.9 (CRITICAL): network attack vector, low complexity, low privileges required, no user interaction, and a changed scope with high confidentiality, integrity, and availability impact. The vulnerability can be escalated through cross-tenant flow manipulation via the agentic MCP update_flow_component_field tool, which accepts attacker-controlled user_id parameters, letting attackers inject code into victim users' flows. Combined with publicly accessible flows and specific misconfigurations (AUTO_LOGIN=true, NEW_USER_IS_ACTIVE=true), the attack can be carried out with reduced authentication requirements.

What's Vulnerable

IBM Langflow OSS versions 1.0.0 up to and including 1.9.2 (commit 94981c443d4918517b9e8163d70fc598dc33a32d). The vulnerability was reported by IBM's PSIRT ([email protected]).

Patch Status

Refer to IBM's official support advisory (linked below) for remediation guidance. This CVE does not appear in the supplied CISA KEV data, so there is no confirmed record of active exploitation in that source at this time.

Sources