CVE-2026-9135
IBM · Langflow OSS
IBM Langflow OSS contains a code injection vulnerability in its ToolGuard integration, allowing authenticated users to bypass security controls and execute arbitrary Python code.
Executive summary
An authentication-based code injection vulnerability in IBM Langflow OSS allows attackers to execute arbitrary Python code by exploiting insufficient validation in dynamic ToolGuard fields.
Vulnerability
The application fails to validate dynamic CodeInput fields, allowing attackers to inject malicious Python code that is later executed by the ToolGuard runtime. This bypasses existing security controls and allows authenticated users to achieve arbitrary code execution.
Business impact
This vulnerability is rated at a CVSS score of 9.9, reflecting its potential for total system compromise. The ability to manipulate flows and escalate privileges across tenants creates a high risk of cross-tenant data exposure and unauthorized backend system control.
Remediation
Immediate Action: Upgrade to IBM Langflow OSS version 1.10.1, which addresses the validation failures in the ToolGuard integration.
Proactive Monitoring: Review flow creation logs and monitor for unauthorized modifications to flow components or the use of unexpected dynamic code inputs.
Compensating Controls: Disable unnecessary features such as AUTO_LOGIN and ensure strict access control policies are in place to limit who can create or modify flows.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the critical severity and the potential for lateral movement and cross-tenant exploitation, immediate patching is required. Organizations must update to version 1.10.1 to eliminate the injection vector and protect the integrity of the Langflow platform.