External risk intelligence

IBM Langflow OSS Code Injection Leading to Server-Side Python Execution.

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-9135

Langflow is a workflow automation and application development platform designed to be deployed as a web-based service. Its typical deployment involves hosting public or internal web interfaces and API endpoints to manage flows and execute backend logic, making these services frequently reachable over the network in real-world environments.

Code Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists in the code injection safeguards of a software component used for creating automated workflows, allowing authenticated users to execute arbitrary Python code on the server. This could potentially lead to unauthorized actions if malicious code is embedded and triggered within these workflows.

  • Code injection flaw bypasses security controls.
  • Threatens server-side execution of custom code.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

Attackers can exploit this vulnerability by crafting malicious Python code within dynamic CodeInput fields of a flow. This code is then saved and executed on the server when a tool is invoked, allowing for arbitrary code execution. With specific misconfigurations and public access, attackers may need fewer authentication credentials.

  • Requires authenticated user with flow creation privileges.
  • Triggered by invoking a guarded tool with malicious code.
  • Enables arbitrary Python code execution on the server.

Live Threat

Current exploitation, exposure, and threat context

An attacker could execute arbitrary Python code on the backend by injecting malicious code into dynamic fields within flows. This risk is amplified when combined with publicly accessible flows and specific server configurations that reduce authentication requirements, potentially allowing for cross-tenant manipulation of user flows.

  • System data and service behavior.
  • Malicious code injection via dynamic fields.
  • Arbitrary code execution on the backend.

Operational Fix

Recommended remediation, mitigation, and detection steps

The critical code injection vulnerability in IBM Langflow OSS affects the Policies component's ToolGuard integration. This impacts teams responsible for application development platforms and the underlying infrastructure. The initial practical move is to locate all instances of Langflow, assess their reachability and business criticality, identify the accountable application or platform owners, and then prioritize remediation based on this risk assessment.

  • Application and Platform Owners
  • Verify affected Langflow instance reachability.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is IBM Langflow OSS?

IBM Langflow OSS is a platform for building automated workflows and artificial intelligence applications. It provides a visual interface for developers to create complex processing pipelines. The software runs as a web-based service, executing backend logic on the host server to handle data and automate tasks.

How does CVE-2026-9135 allow code injection?

This vulnerability falls under the weakness class of Code Injection (CWE-94). The system has a security control intended to block custom components, but the validation logic is incomplete. While the software checks primary source code, it overlooks dynamic fields used for generated files. An attacker can place harmful Python scripts into these fields, which the server then executes whenever a specific tool is triggered.

Does simply viewing a flow trigger this vulnerability?

No, viewing a flow is not the trigger. Execution occurs server-side only when an attacker with flow creation privileges saves malicious code into a dynamic field and that specific guarded tool is later invoked. The flaw requires the backend runtime to process the corrupted data during tool operation.

Why should I care about this if my Langflow instance is internal?

Halo Surface Signal indicates that Langflow is typically deployed as a web service with endpoints reachable over the network. Even if intended for internal use, these interfaces are often accessible to wider organizational networks. If your instance is configured to allow public access or has specific misconfigurations enabled, the potential for unauthorized access significantly increases.

What is the first step to address this CVE?

Begin by identifying every instance of IBM Langflow OSS running in your environment. Once mapped, verify if these services are reachable from your network and determine which teams own them. Engage these platform owners to evaluate the business criticality of their flows and prioritize the application of official security updates or vendor-recommended configurations.

References