Langflow is an AI workflow orchestration tool that allows users to build and deploy AI-powered agents. In versions before 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint is intended to build public flows without requiring authentication. However, it accepts an optional data parameter that, if supplied, overrides the stored flow data with attacker-controlled content. This content can include arbitrary Python code embedded within node definitions. The endpoint executes this code using Python's exec() function without any sandboxing or validation, resulting in unauthenticated remote code execution (RCE). This vulnerability is distinct from CVE-2025-3248, which addressed authentication on a different endpoint but did not fix this issue. The lack of authentication combined with direct execution of attacker-supplied code makes this a critical security flaw. The vulnerability is tracked as CWE-94 (Improper Control of Generation of Code), CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code), and CWE-306 (Missing Authentication for Critical Function). The flaw was publicly disclosed and fixed in langflow version 1.9.0. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. No known exploits in the wild have been reported yet, but the severity and ease of exploitation make it a high-risk vulnerability for exposed systems.

The vulnerability allows unauthenticated attackers to execute arbitrary Python code on servers running vulnerable langflow versions. This can lead to full system compromise, including data theft, destruction, or manipulation, installation of persistent malware, lateral movement within networks, and disruption of AI workflows. Since langflow is used to build and deploy AI agents, attackers could also manipulate AI behavior or exfiltrate sensitive AI model data. The unauthenticated nature and lack of user interaction requirements make this vulnerability highly exploitable remotely, especially on publicly accessible instances. Organizations relying on langflow for AI orchestration face risks of operational disruption, intellectual property loss, and potential regulatory consequences if sensitive data is compromised. The critical severity score reflects the broad impact on confidentiality, integrity, and availability of affected systems.

Upgrade langflow to version 1.9.0 or later immediately to apply the official fix that prevents execution of attacker-supplied code in the build_public_tmp endpoint. Until upgrading, restrict network access to the vulnerable endpoint by implementing firewall rules or API gateway policies that block unauthenticated requests to /api/v1/build_public_tmp/{flow_id}/flow. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block suspicious payloads containing Python code patterns. Conduct thorough code reviews and penetration testing on any custom AI workflow tools to ensure no similar code injection vectors exist. Monitor logs for unusual API usage or unexpected code execution attempts. Consider isolating langflow deployments in segmented network zones with minimal privileges to limit potential damage from exploitation. Educate development and security teams about the risks of executing dynamic code without sandboxing or validation.