CVE-2026-9135: CWE-94 Improper Control of Generation of Code ('Code Injection') in IBM Langflow OSS
IBM Langflow OSS 1.0.0 through 1.10.0 Langflow versions up to 1.9.2 (commit 94981c443d4918517b9e8163d70fc598dc33a32d) contain a code injection vulnerability in the Policies component's ToolGuard integration that bypasses the allow_custom_components=false security control. The vulnerability exists because the validation mechanism only checks the main component source code in node_template["code"]["value"] but fails to validate dynamic CodeInput fields that store generated ToolGuard Python files. Attackers can embed malicious Python code in these unvalidated dynamic fields, which are persisted in Flow.data and later executed server-side when a guarded tool is invoked through the ToolGuard runtime. This allows authenticated users with flow creation privileges to achieve arbitrary Python code execution on the backend despite custom component restrictions. The vulnerability can be escalated through cross-tenant flow manipulation via the agentic MCP update_flow_component_field tool, which accepts attacker-controlled user_id parameters, enabling attackers to inject malicious code into victim users' flows. When combined with publicly accessible flows and specific misconfigurations (AUTO_LOGIN=true, NEW_USER_IS_ACTIVE=true), the attack can be conducted with reduced authentication requirements.
AI Analysis
Technical Summary
CVE-2026-9135 is a code injection vulnerability (CWE-94) in IBM Langflow OSS versions 1.0.0 through 1.10.0 (up to commit 94981c443d4918517b9e8163d70fc598dc33a32d). The issue arises because the validation mechanism only checks the main component source code but fails to validate dynamic CodeInput fields that store generated ToolGuard Python files. Attackers with flow creation privileges can embed malicious Python code in these unvalidated fields, which are persisted and executed server-side when invoking guarded tools. The vulnerability bypasses the allow_custom_components=false control and can be escalated through cross-tenant flow manipulation via the agentic MCP update_flow_component_field tool, which accepts attacker-controlled user_id parameters. Misconfigurations such as AUTO_LOGIN=true and NEW_USER_IS_ACTIVE=true can reduce authentication barriers, increasing exploitability.
Potential Impact
Successful exploitation allows authenticated users with flow creation privileges to achieve arbitrary Python code execution on the backend server, potentially leading to full system compromise. The vulnerability also enables cross-tenant code injection, allowing attackers to manipulate victim users' flows. The CVSS 3.1 base score is 9.9 (critical), reflecting network attack vector, low attack complexity, privileges required, no user interaction, scope change, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict flow creation privileges to trusted users only and review configurations to avoid AUTO_LOGIN=true and NEW_USER_IS_ACTIVE=true settings that reduce authentication requirements. Monitor for updates from IBM regarding patches or official mitigations.
CVE-2026-9135: CWE-94 Improper Control of Generation of Code ('Code Injection') in IBM Langflow OSS
Description
IBM Langflow OSS 1.0.0 through 1.10.0 Langflow versions up to 1.9.2 (commit 94981c443d4918517b9e8163d70fc598dc33a32d) contain a code injection vulnerability in the Policies component's ToolGuard integration that bypasses the allow_custom_components=false security control. The vulnerability exists because the validation mechanism only checks the main component source code in node_template["code"]["value"] but fails to validate dynamic CodeInput fields that store generated ToolGuard Python files. Attackers can embed malicious Python code in these unvalidated dynamic fields, which are persisted in Flow.data and later executed server-side when a guarded tool is invoked through the ToolGuard runtime. This allows authenticated users with flow creation privileges to achieve arbitrary Python code execution on the backend despite custom component restrictions. The vulnerability can be escalated through cross-tenant flow manipulation via the agentic MCP update_flow_component_field tool, which accepts attacker-controlled user_id parameters, enabling attackers to inject malicious code into victim users' flows. When combined with publicly accessible flows and specific misconfigurations (AUTO_LOGIN=true, NEW_USER_IS_ACTIVE=true), the attack can be conducted with reduced authentication requirements.
CVSS v3.1
Score 9.9critical
Affected software
pkg:github/ibm/langflow_osscpe:2.3:a:ibm:langflow_oss:1.0.0:*:*:*:*:*:*:*cpe:2.3:a:ibm:langflow_oss:1.10.0:*:*:*:*:*:*:*Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-9135 is a code injection vulnerability (CWE-94) in IBM Langflow OSS versions 1.0.0 through 1.10.0 (up to commit 94981c443d4918517b9e8163d70fc598dc33a32d). The issue arises because the validation mechanism only checks the main component source code but fails to validate dynamic CodeInput fields that store generated ToolGuard Python files. Attackers with flow creation privileges can embed malicious Python code in these unvalidated fields, which are persisted and executed server-side when invoking guarded tools. The vulnerability bypasses the allow_custom_components=false control and can be escalated through cross-tenant flow manipulation via the agentic MCP update_flow_component_field tool, which accepts attacker-controlled user_id parameters. Misconfigurations such as AUTO_LOGIN=true and NEW_USER_IS_ACTIVE=true can reduce authentication barriers, increasing exploitability.
Potential Impact
Successful exploitation allows authenticated users with flow creation privileges to achieve arbitrary Python code execution on the backend server, potentially leading to full system compromise. The vulnerability also enables cross-tenant code injection, allowing attackers to manipulate victim users' flows. The CVSS 3.1 base score is 9.9 (critical), reflecting network attack vector, low attack complexity, privileges required, no user interaction, scope change, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict flow creation privileges to trusted users only and review configurations to avoid AUTO_LOGIN=true and NEW_USER_IS_ACTIVE=true settings that reduce authentication requirements. Monitor for updates from IBM regarding patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- ibm
- Date Reserved
- 2026-05-20T18:38:22.538Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a5b5eb42d1edb114c7fb5b0
Added to database: 07/18/2026, 11:08:36 UTC
Last enriched: 07/18/2026, 11:57:20 UTC
Last updated: 07/18/2026, 13:31:22 UTC
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.