External risk intelligence

Langflow Shareable Playground RCE Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-48519

The vulnerability exists in a feature explicitly designed to expose workflows via public links for unauthenticated access. This creates a public-facing API endpoint intended to be reachable by anyone on the internet, placing the vulnerable component directly at the network edge by design.

Code Injection

Langflow

before 1.9.2

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

Langflow, a tool for building AI workflows, has a critical vulnerability in its "Shareable Playground" feature that allows unauthenticated users to execute arbitrary Python code via public links. This could enable severe compromise of affected systems by attackers who discover or are sent a malicious link. The issue is addressed in version 1.9.2 and later.

  • Public links allow unauthenticated code execution.
  • Matters if your organization uses public AI workflows.
  • Confirm relevance and exposure of public AI workflows.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a specially crafted request to a public workflow link. This request allows for the injection of arbitrary Python code, which can then be executed on the server. The vulnerability lies within the "Shareable Playground" feature of Langflow, which is designed to allow unauthenticated users to run workflows by accessing a shared link. Successfully triggering this vulnerability could lead to remote code execution with high impact on confidentiality, integrity, and availability.

  • Accessible via public link, no authentication required.
  • Injects arbitrary Python code in node's code value.
  • Leads to high impact remote code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated user to execute arbitrary Python code when interacting with a public Langflow playground. This could occur when a public flow is accessed via a link, and a crafted JSON payload is provided, containing malicious code within the `code.value` field. The affected system could then execute this code, potentially leading to unauthorized actions or data compromise.

  • System data and service behavior at risk.
  • Execution via public playground link.
  • Potential for arbitrary code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and platform teams are likely responsible for addressing this critical RCE vulnerability in Langflow's "Shareable Playground" feature. The first practical step is to identify all instances of Langflow, confirm exposure and business criticality, and then ascertain the accountable owner for remediation planning.

  • Application and platform teams own remediation.
  • Verify public flow accessibility and reachability.
  • Plan risk-based remediation with owners.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Langflow and its Shareable Playground?

Langflow is a visual development tool used to design and run AI agents and data processing workflows. The Shareable Playground feature acts as a front-end portal that allows users to share these workflows as public links, enabling others to execute the AI logic without needing their own account or login credentials.

How does CVE-2026-48519 cause a security weakness?

This vulnerability is classified as Improper Control of Generation of Code (CWE-94). In the affected Langflow versions, the public-facing workflow endpoint fails to properly validate inputs. This allows an attacker to inject and execute their own Python code directly on the server by modifying the JSON data sent to the workflow execution route.

When is this vulnerability triggered?

The vulnerability is triggered when an attacker sends a crafted request to the public API route intended for running shared workflows. It does not trigger during standard platform use by authorized administrators, nor does it affect workflows that are not published through the Shareable Playground feature.

Do I need to worry if my Langflow instance is internal?

According to Halo Surface Signal, this vulnerability is particularly high-risk because the feature is designed to be reachable via public links, putting the vulnerable component at the network edge by default. If your Langflow instance or its Shareable Playground feature is accessible from the internet, it is directly exposed to this threat.

How do I address this Langflow vulnerability?

The most effective first step is to identify all deployed instances of Langflow within your environment and determine if the Shareable Playground feature is enabled. Once identified, plan an upgrade to version 1.9.2 or later, which resolves the code execution flaw. If updating is not immediately possible, consider restricting network access to the playground endpoints.

References