Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.
The /api/v1/validate/code endpoint does not require authentication (CWE-306 — missing authentication) and is vulnerable to code injection (CWE-94). A remote attacker sends a crafted HTTP request to this endpoint, injecting malicious code that is subsequently executed on the server side. The absence of any access control mechanisms allows any person with network access to the application to carry out the attack.
An attacker can execute arbitrary code on the server with Langflow process privileges, which in practice means complete system takeover — data theft, malware installation, or lateral movement in the network.
Langflow must be immediately updated to version 1.3.0 or newer. The patch is available in the official GitHub project repository (tag 1.3.0). Until the update is applied, it is recommended to restrict network access to the Langflow instance to trusted IP addresses only.
Langflow versions earlier than 1.3.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLangflow
APPLangflow< 1.3.0
CISA KEV — detailsi
- Vendori
- Langflow
- Producti
- Langflow
- Added to KEVi
- May 5, 2025
- Remediation deadline (US Federal)i
- May 26, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Langflow contains a missing authentication vulnerability in the /api/v1/validate/code endpoint that allows a remote, unauthenticated attacker to execute arbitrary code via crafted HTTP requests.
Related vulnerabilities
Langflow: nieuwierzytelniony RCE przez endpoint budowania publicznych przepływów
Langflow: przejęcie konta i RCE przez błędną konfigurację CORS
IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process...
IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of ...
IBM Langflow OSS 1.0.0 through 1.9.6 could allow unauthenticated attackers to access protected MCP project res...