Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-9135: CWE-94 Improper Control of Generation of Code ('Code Injection') in IBM Langflow OSS

0
Critical
VulnerabilityCVE-2026-9135cvecve-2026-9135cwe-94
Published: 07/17/2026 (07/17/2026, 18:48:55 UTC)
Source: CVE Database V5
Vendor/Project: IBM
Product: Langflow OSS

Description

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow versions up to 1.9.2 (commit 94981c443d4918517b9e8163d70fc598dc33a32d) contain a code injection vulnerability in the Policies component's ToolGuard integration that bypasses the allow_custom_components=false security control. The vulnerability exists because the validation mechanism only checks the main component source code in node_template["code"]["value"] but fails to validate dynamic CodeInput fields that store generated ToolGuard Python files. Attackers can embed malicious Python code in these unvalidated dynamic fields, which are persisted in Flow.data and later executed server-side when a guarded tool is invoked through the ToolGuard runtime. This allows authenticated users with flow creation privileges to achieve arbitrary Python code execution on the backend despite custom component restrictions. The vulnerability can be escalated through cross-tenant flow manipulation via the agentic MCP update_flow_component_field tool, which accepts attacker-controlled user_id parameters, enabling attackers to inject malicious code into victim users' flows. When combined with publicly accessible flows and specific misconfigurations (AUTO_LOGIN=true, NEW_USER_IS_ACTIVE=true), the attack can be conducted with reduced authentication requirements.

CVSS v3.1

Score 9.9critical

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected software

GitHub Actionsmore threats →ai
ibm/langflow_oss
pkg:github/ibm/langflow_oss
Affected versions
=1.0.0<=1.10.0
CPE configurations (2)
cpe:2.3:a:ibm:langflow_oss:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:langflow_oss:1.10.0:*:*:*:*:*:*:*

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/18/2026, 11:57:20 UTC

Technical Analysis

CVE-2026-9135 is a code injection vulnerability (CWE-94) in IBM Langflow OSS versions 1.0.0 through 1.10.0 (up to commit 94981c443d4918517b9e8163d70fc598dc33a32d). The issue arises because the validation mechanism only checks the main component source code but fails to validate dynamic CodeInput fields that store generated ToolGuard Python files. Attackers with flow creation privileges can embed malicious Python code in these unvalidated fields, which are persisted and executed server-side when invoking guarded tools. The vulnerability bypasses the allow_custom_components=false control and can be escalated through cross-tenant flow manipulation via the agentic MCP update_flow_component_field tool, which accepts attacker-controlled user_id parameters. Misconfigurations such as AUTO_LOGIN=true and NEW_USER_IS_ACTIVE=true can reduce authentication barriers, increasing exploitability.

Potential Impact

Successful exploitation allows authenticated users with flow creation privileges to achieve arbitrary Python code execution on the backend server, potentially leading to full system compromise. The vulnerability also enables cross-tenant code injection, allowing attackers to manipulate victim users' flows. The CVSS 3.1 base score is 9.9 (critical), reflecting network attack vector, low attack complexity, privileges required, no user interaction, scope change, and high impact on confidentiality, integrity, and availability.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict flow creation privileges to trusted users only and review configurations to avoid AUTO_LOGIN=true and NEW_USER_IS_ACTIVE=true settings that reduce authentication requirements. Monitor for updates from IBM regarding patches or official mitigations.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
ibm
Date Reserved
2026-05-20T18:38:22.538Z
Cvss Version
3.1
State
PUBLISHED
Remediation Level
null

Threat ID: 6a5b5eb42d1edb114c7fb5b0

Added to database: 07/18/2026, 11:08:36 UTC

Last enriched: 07/18/2026, 11:57:20 UTC

Last updated: 07/18/2026, 13:31:22 UTC

Views: 7

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses