External risk intelligence

IBM Langflow OSS RCE via Authentication Bypass and Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-9198

The vulnerability affects a web application API that includes authentication endpoints and code execution capabilities. Langflow is typically deployed as a public-facing or externally accessible service to facilitate API interactions and workflow management, making these endpoints highly likely to be exposed to the internet in standard deployments.

Code Injection

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

IBM Langflow OSS, used in versions 1.0.0 through 1.10.0, contains a critical vulnerability that could allow unauthenticated attackers to gain full remote control of affected systems by chaining two API calls. This issue is particularly concerning as it enables code execution and the minting of administrative tokens without requiring any prior authentication. The main concern at this time is confirming relevance and exposure.

  • Allows unauthorized access and code execution.
  • Critical flaw enables full system control.
  • Confirm relevance and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by first accessing the `/api/v1/auto_login` endpoint to create a SUPERUSER token without needing any credentials. This token can then be used to interact with the `/api/v1/validate/code` endpoint, which executes arbitrary user code, leading to complete remote code execution on the affected system.

  • No authentication required.
  • Execute user code via API.
  • Full remote code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to execute arbitrary code on a Langflow deployment. By chaining two API endpoints, an attacker could mint administrative tokens and then run commands with the privileges of the application. This could affect the integrity and availability of the Langflow service and any systems it interacts with.

  • System data and service integrity.
  • Unauthenticated API calls trigger code execution.
  • Full remote code execution on the server.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in IBM Langflow OSS impacts unauthenticated users by allowing remote code execution, necessitating immediate action from platform and security teams. The first practical step involves identifying all Langflow deployments, assessing their network exposure and business criticality, and locating the accountable system owners. Once identified, a prioritized remediation plan should be developed, considering maintenance windows, vendor coordination for potential patches, and temporary risk-reduction measures if full remediation is not immediately feasible.

  • Platform and security teams should own this.
  • Verify network exposure and criticality first.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is IBM Langflow OSS?

IBM Langflow OSS is a visual framework designed for building and managing workflows, often used to create and deploy AI-driven applications. It provides a web-based interface for designing complex logic flows. Users interact with its API endpoints to manage configurations, execute code, and perform workflow operations.

How does CVE-2026-9198 allow code execution?

This vulnerability involves a weakness classified as CWE-94, or Improper Control of Generation of Code. An attacker can chain two specific API functions to bypass security. First, they use an endpoint to generate an administrative token without credentials. They then submit that token to a second endpoint designed to validate code, which incorrectly executes the provided input as system commands.

Do I need credentials to trigger this vulnerability?

No. The flaw specifically allows unauthenticated attackers to initiate the attack chain. You do not need a pre-existing account or login session to mint the administrative token. Conversely, if your deployment restricts access to these specific API endpoints using external authentication layers or firewalls, the vulnerability cannot be triggered via the standard network path.

Is my IBM Langflow instance at risk?

According to Halo Surface Signal, this vulnerability is highly relevant if your instance is internet-facing. Because Langflow is typically deployed to facilitate API interactions, these specific endpoints are often reachable over the public internet. If your system is exposed, attackers can reach these API paths directly, making it a critical priority for assessment.

When should I take action on CVE-2026-9198?

You should act immediately by locating all active Langflow deployments within your environment. Once identified, confirm which instances are accessible over the network. Work with your technical team to prioritize these assets based on their role and business criticality, and prepare to apply vendor-supplied updates or temporary network restrictions to block access to the affected API endpoints.

References