IBM Langflow OSS contains a critical (CVSS 9.9) code injection flaw that lets authenticated users bypass custom-component restrictions and run arbitrary Python on the server.
What Is It
CVE-2026-9135 is a code injection vulnerability (CWE-94) in the Policies component's ToolGuard integration in IBM Langflow OSS. The allow_custom_components=false security control validates only the main component source code in node_template["code"]["value"], but fails to validate dynamic CodeInput fields that store generated ToolGuard Python files. Attackers can embed malicious Python in these unvalidated fields, which are persisted in Flow.data and later executed server-side when a guarded tool is invoked through the ToolGuard runtime.
Why It Matters
The flaw allows authenticated users with flow-creation privileges to achieve arbitrary Python code execution on the backend despite custom component restrictions. It carries a CVSS 3.1 base score of 9.9 (CRITICAL): network attack vector, low complexity, low privileges required, no user interaction, and a changed scope with high confidentiality, integrity, and availability impact. The vulnerability can be escalated through cross-tenant flow manipulation via the agentic MCP update_flow_component_field tool, which accepts attacker-controlled user_id parameters, letting attackers inject code into victim users' flows. Combined with publicly accessible flows and specific misconfigurations (AUTO_LOGIN=true, NEW_USER_IS_ACTIVE=true), the attack can be carried out with reduced authentication requirements.
What's Vulnerable
IBM Langflow OSS versions 1.0.0 up to and including 1.9.2 (commit 94981c443d4918517b9e8163d70fc598dc33a32d). The vulnerability was reported by IBM's PSIRT ([email protected]).
Patch Status
Refer to IBM's official support advisory (linked below) for remediation guidance. This CVE does not appear in the supplied CISA KEV data, so there is no confirmed record of active exploitation in that source at this time.
Sources
- IBM Support Advisory; https://www.ibm.com/support/pages/node/7278920
- NVD, CVE-2026-9135, https://nvd.nist.gov/vuln/detail/CVE-2026-9135