HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-48519Published Modified CNA GitHub_M

CVE-2026-48519: Langflow: Unauthenticated RCE in Shareable Playgrounds

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, the "Shareable Playground" (or "Public Flows" in code) contains a critical RCE vulnerability. Shareable Playground feature works by enabling the execution of workflows by unauthenticated users, by accessing a link. Specifically, it enables the route /api/v1/build_public_tmp to execute any public flow, given a public flow ID. When the route executes the flow, it allows for providing arbitrary custom Python code as the nodes code, inside the JSON payload. The vulnerable field is data.nodes[X].data.node.template.code.value. This vulnerability is fixed in 1.9.2.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an unauthenticated remote code execution vulnerability in Langflow, a platform for building and deploying AI-powered agents and workflows. The flaw exists in the Shareable Playground feature, which exposes a public API route (/api/v1/build_public_tmp) that accepts arbitrary custom Python code inside a JSON payload without requiring any authentication. Any attacker who can reach the Langflow instance over the network and trick a user into accessing a shared link can execute arbitrary code on the server, with full read, write, and availability impact across the host. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built Langflow-derived images, in both registry scans and active pipeline checks.

Available
Triage

Triage is available with the CVSS v3.1 score of 9.6 (Critical) applied automatically; per-environment compliance policy weighting is available to escalate or route the finding to the appropriate team inbox within each customer organization.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment version 1.9.2 or a successor fix is released upstream. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Langflow service over the network; the public /api/v1/build_public_tmp route is exposed via HTTP, making any internet- or intranet-facing deployment directly reachable.

  • AuthenticationNot required

    No credentials are needed; the vulnerable route is intentionally unauthenticated as part of the Shareable Playground feature design.

  • Victim interactionRequired

    A user must access a crafted shared-playground link, making this a social-engineering vector where the attacker distributes the link to a target.

  • Attack complexityDetail

    Attack complexity is low; exploitation requires no race conditions, memory-layout knowledge, or special environmental conditions beyond delivering the malicious payload in the JSON body.

Blast Radius

  • The attacker executes arbitrary Python code in the server process, giving full control over the Langflow host and any services it can reach.
  • All data accessible to the Langflow process is readable, including stored API keys, workflow configurations, environment variables, and connected data sources.
  • The attacker can modify or delete persisted workflows, database rows, and any files writable by the Langflow process.
  • The Langflow service and any dependent agents or workflows can be crashed or permanently disabled.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists yet, HarborGuard continuously re-evaluates this advisory on every ingest cycle and will surface a patched-image rebuild the moment version 1.9.2 is published upstream. In the interim, compensating controls are advisable: apply a network policy that restricts inbound access to the Langflow service to known, trusted IP ranges; if the Shareable Playground feature is not required, disable the /api/v1/build_public_tmp route via feature-flag or reverse-proxy block; and apply egress filtering to limit what the Langflow process can reach if code execution does occur. For customers who opt into auto-remediation, HarborGuard will trigger a rebuild, regression test run, and PR against affected workloads without manual intervention as soon as the upstream fix is available.

See how HarborGuard automates this
Affected packages
  • langflow-ai / langflow
    < 1.9.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References