Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325.
The vulnerability results from improper handling of the exec_globals parameter passed to the validate endpoint. The application includes resources from an untrusted sphere of control (CWE-829), which allows an attacker to inject and execute malicious code. The exploit requires no authentication or user interaction — it is sufficient to send an appropriately crafted network request.
An attacker can execute arbitrary code in the context of the root user, which means complete takeover of the compromised system, including access to data, ability to install backdoors, and further lateral movement within the network.
Patches available from the vendor should be applied according to the references. Additionally, until the patch is deployed, it is recommended to restrict network access to the validate endpoint using firewall or access control mechanisms.
Langflow — versions indicated in the vendor's references and in the Zero Day Initiative advisory (ZDI-26-036)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLangflow
APPLangflow1.4.2
Related vulnerabilities
Langflow: nieuwierzytelniony RCE przez endpoint budowania publicznych przepływów
Langflow: przejęcie konta i RCE przez błędną konfigurację CORS
Nieuwierzytelnione RCE w Langflow poprzez wstrzyknięcie kodu w endpoint /api/v1/validate/code
IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of ...
IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process...