CVE-2026-9198: CWE-94 Improper Control of Generation of Code ('Code Injection') in IBM Langflow OSS
IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to chain /api/v1/auto_login (mints SUPERUSER tokens to any network caller) with /api/v1/validate/code (executes user code via exec()) to achieve full RCE on default Langflow deployments
AI Analysis
Technical Summary
CVE-2026-9198 affects IBM Langflow OSS versions 1.0.0 through 1.10.0. The vulnerability arises from improper control of code generation (CWE-94), where unauthenticated attackers can chain the /api/v1/auto_login endpoint, which mints SUPERUSER tokens to any network caller, with the /api/v1/validate/code endpoint that executes user-supplied code using exec(). This combination enables full remote code execution on default Langflow OSS deployments without authentication.
Potential Impact
Successful exploitation results in full remote code execution with SUPERUSER privileges on affected IBM Langflow OSS deployments. This allows attackers to execute arbitrary commands, potentially leading to complete system compromise, data theft, or disruption of service. The CVSS 3.1 base score is 9.8, indicating a critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are currently available. Until a patch is released, restrict network access to the affected endpoints and consider disabling or limiting the use of the vulnerable APIs if possible. Monitor vendor communications for updates on remediation.
CVE-2026-9198: CWE-94 Improper Control of Generation of Code ('Code Injection') in IBM Langflow OSS
Description
IBM Langflow OSS 1.0.0 through 1.10.0 allows unauthenticated attackers to chain /api/v1/auto_login (mints SUPERUSER tokens to any network caller) with /api/v1/validate/code (executes user code via exec()) to achieve full RCE on default Langflow deployments
CVSS v3.1
Score 9.8critical
Affected software
pkg:github/ibm/langflow_osscpe:2.3:a:ibm:langflow_oss:1.0.0:*:*:*:*:*:*:*cpe:2.3:a:ibm:langflow_oss:1.10.0:*:*:*:*:*:*:*Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-9198 affects IBM Langflow OSS versions 1.0.0 through 1.10.0. The vulnerability arises from improper control of code generation (CWE-94), where unauthenticated attackers can chain the /api/v1/auto_login endpoint, which mints SUPERUSER tokens to any network caller, with the /api/v1/validate/code endpoint that executes user-supplied code using exec(). This combination enables full remote code execution on default Langflow OSS deployments without authentication.
Potential Impact
Successful exploitation results in full remote code execution with SUPERUSER privileges on affected IBM Langflow OSS deployments. This allows attackers to execute arbitrary commands, potentially leading to complete system compromise, data theft, or disruption of service. The CVSS 3.1 base score is 9.8, indicating a critical severity with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are currently available. Until a patch is released, restrict network access to the affected endpoints and consider disabling or limiting the use of the vulnerable APIs if possible. Monitor vendor communications for updates on remediation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- ibm
- Date Reserved
- 2026-05-21T15:40:11.465Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a5b401834329bf928c71335
Added to database: 07/18/2026, 08:58:00 UTC
Last enriched: 07/18/2026, 09:35:07 UTC
Last updated: 07/18/2026, 11:08:17 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.