Langflow Vulnerability Allows Remote Code Execution

CERT-Bund Security Advisories

Filed March 19th, 2026

Detected March 20th, 2026

Summary

CERT-Bund has issued a security advisory for Langflow, detailing a critical vulnerability that allows remote code execution. The advisory affects versions prior to 1.9.0 and impacts Linux, UNIX, and Windows operating systems. Mitigation measures are available.

View original document View source feed page

What changed

CERT-Bund has released advisory WID-SEC-2026-0804 concerning a critical vulnerability in Langflow, a tool for creating LLM-based applications. The vulnerability, with a CVSS Base Score of 9.9, allows authenticated remote attackers to execute arbitrary code on affected systems. This impacts open-source Langflow versions prior to 1.9.0, running on Linux, UNIX, and Windows.

Organizations using affected versions of Langflow should immediately apply available mitigation measures or update to a patched version. Failure to address this vulnerability could lead to system compromise and unauthorized code execution, posing a significant security risk. The advisory provides links to CVE information and version history for further details.

What to do next

Update Langflow to version 1.9.0 or later
Apply available mitigation measures if updating is not immediately possible

Source document (simplified)

[WID-SEC-2026-0804] Langflow: Schwachstelle ermöglicht Codeausführung CVSS Base Score 9.9 (kritisch) CVSS Temporal Score 8.9 (hoch) Remoteangriff ja Datum 19.03.2026 Stand 20.03.2026 Mitigation ja

Betroffene Systeme

Betriebssystem

Linux
Sonstiges
UNIX
Windows

Produktbeschreibung

Langflow bietet eine visuelle Schnittstelle zum Erstellen von LLM-basierten Anwendungen.

Produkte

19.03.2026
- Open Source Langflow <1.9.0

Angriff

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Langflow ausnutzen, um beliebigen Programmcode auszuführen. CVE Informationen Versionshistorie Feedback zum Advisory geben