CVE-2026-9135 in Langflow
Summary
by MITRE • 07/17/2026
IBM Langflow OSS 1.0.0 through 1.10.0 Langflow versions up to 1.9.2 (commit 94981c443d4918517b9e8163d70fc598dc33a32d) contain a code injection vulnerability in the Policies component's ToolGuard integration that bypasses the allow_custom_components=false security control. The vulnerability exists because the validation mechanism only checks the main component source code in node_template["code"]["value"] but fails to validate dynamic CodeInput fields that store generated ToolGuard Python files. Attackers can embed malicious Python code in these unvalidated dynamic fields, which are persisted in Flow.data and later executed server-side when a guarded tool is invoked through the ToolGuard runtime. This allows authenticated users with flow creation privileges to achieve arbitrary Python code execution on the backend despite custom component restrictions. The vulnerability can be escalated through cross-tenant flow manipulation via the agentic MCP update_flow_component_field tool, which accepts attacker-controlled user_id parameters, enabling attackers to inject malicious code into victim users' flows. When combined with publicly accessible flows and specific misconfigurations (AUTO_LOGIN=true, NEW_USER_IS_ACTIVE=true), the attack can be conducted with reduced authentication requirements.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
This vulnerability exists within IBM Langflow Open Source Software versions 1.0.0 through 1.10.0, specifically affecting versions up to 1.9.2 with commit 94981c443d4918517b9e8163d70fc598dc33a32d. The security flaw resides in the Policies component's ToolGuard integration where a code injection vulnerability bypasses the critical allow_custom_components=false security control. This represents a fundamental failure in input validation that violates core security principles and creates an exploitable path for malicious actors to execute arbitrary code on the backend system.
The technical implementation flaw stems from incomplete validation mechanisms that only examine the main component source code located in node_template["code"]["value"] while completely neglecting dynamic CodeInput fields that store generated ToolGuard Python files. This validation gap creates a persistent security weakness where attackers can inject malicious Python code into unvalidated dynamic fields that are subsequently persisted in Flow.data storage. When a guarded tool is invoked through the ToolGuard runtime, these malicious code snippets execute server-side with full backend privileges, effectively granting attackers complete control over the system's execution environment.
The operational impact of this vulnerability extends beyond simple code execution to encompass cross-tenant manipulation capabilities. Attackers can leverage the agentic MCP update_flow_component_field tool which accepts attacker-controlled user_id parameters, enabling them to inject malicious code into victim users' flows without requiring direct access to those specific accounts. This creates a sophisticated attack vector where a single compromised authenticated user with flow creation privileges can potentially compromise multiple tenant environments simultaneously. The vulnerability's severity is amplified when combined with publicly accessible flows and specific misconfigurations such as AUTO_LOGIN=true and NEW_USER_IS_ACTIVE=true, which dramatically reduce authentication requirements for executing the attack.
Security controls fail at multiple levels within this system architecture, creating a cascading risk that violates several cybersecurity standards including CWE-94 (Improper Control of Generation of Code) and CWE-79 (Cross-site Scripting). The vulnerability directly maps to ATT&CK technique T1059.001 (Command and Scripting Interpreter: Python) and T1566.002 (Phishing: Spearphishing Attachment), as it enables both code execution and lateral movement across tenant boundaries. Organizations implementing this software face significant risk of data breaches, system compromise, and unauthorized access to sensitive information when these vulnerabilities remain unpatched.
Mitigation strategies must address both immediate remediation and architectural improvements. The most critical step involves implementing comprehensive validation for all dynamic CodeInput fields, not just the primary code value, ensuring that any generated ToolGuard Python files undergo strict sanitization before persistence. Organizations should also implement additional controls around the agentic MCP update_flow_component_field tool by validating user_id parameters and implementing proper access controls to prevent cross-tenant manipulation. The system configuration should be reviewed to disable AUTO_LOGIN=true and NEW_USER_IS_ACTIVE=true unless absolutely necessary for specific use cases. Additionally, regular security scanning and monitoring of Flow.data persistence points can help detect unauthorized code injection attempts before they can be executed in production environments.