CVE-2026-9135

IBM · Langflow OSS

IBM Langflow OSS contains a code injection vulnerability in its ToolGuard integration, allowing authenticated users to bypass security controls and execute arbitrary Python code.

Executive summary

An authentication-based code injection vulnerability in IBM Langflow OSS allows attackers to execute arbitrary Python code by exploiting insufficient validation in dynamic ToolGuard fields.

Vulnerability

The application fails to validate dynamic CodeInput fields, allowing attackers to inject malicious Python code that is later executed by the ToolGuard runtime. This bypasses existing security controls and allows authenticated users to achieve arbitrary code execution.

Business impact

This vulnerability is rated at a CVSS score of 9.9, reflecting its potential for total system compromise. The ability to manipulate flows and escalate privileges across tenants creates a high risk of cross-tenant data exposure and unauthorized backend system control.

Remediation

Immediate Action: Upgrade to IBM Langflow OSS version 1.10.1, which addresses the validation failures in the ToolGuard integration.

Proactive Monitoring: Review flow creation logs and monitor for unauthorized modifications to flow components or the use of unexpected dynamic code inputs.

Compensating Controls: Disable unnecessary features such as AUTO_LOGIN and ensure strict access control policies are in place to limit who can create or modify flows.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Given the critical severity and the potential for lateral movement and cross-tenant exploitation, immediate patching is required. Organizations must update to version 1.10.1 to eliminate the injection vector and protect the integrity of the Langflow platform.