{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/langflow-oss--1.10.0/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-9198"},{"cvss":9.8,"id":"CVE-2026-9202"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Langflow OSS (1.0.0 - 1.10.0)","Langflow OSS \u003c= 1.10.0"],"_cs_severities":["critical"],"_cs_tags":["remote-code-execution","api-exploitation","unauthenticated-access","code-injection","web-vulnerability","ai-llm"],"_cs_type":"advisory","_cs_vendors":["IBM"],"content_html":"\u003cp\u003eIBM Langflow OSS, an open-source framework for building and deploying AI/LLM applications, contains a critical vulnerability (CVE-2026-9198) affecting versions 1.0.0 through 1.10.0. This flaw allows unauthenticated attackers to achieve full Remote Code Execution (RCE) on default installations. The exploitation involves a two-step chaining process: first, an attacker leverages the \u003ccode\u003e/api/v1/auto_login\u003c/code\u003e endpoint to obtain SUPERUSER tokens without authentication; second, these tokens are then used to invoke the \u003ccode\u003e/api/v1/validate/code\u003c/code\u003e endpoint, which insecurely executes arbitrary user-provided code using Python's \u003ccode\u003eexec()\u003c/code\u003e function. This vulnerability bypasses authentication, granting an attacker complete control over the compromised Langflow instance and its underlying system, posing a severe risk to data integrity, confidentiality, and system availability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e An attacker identifies an internet-facing IBM Langflow OSS instance vulnerable to CVE-2026-9198.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthenticated Token Minting:\u003c/strong\u003e The attacker sends an unauthenticated HTTP request to the \u003ccode\u003e/api/v1/auto_login\u003c/code\u003e endpoint on the vulnerable Langflow server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSUPERUSER Token Acquisition:\u003c/strong\u003e Due to the vulnerability, the Langflow server issues a SUPERUSER authentication token to the unauthenticated attacker.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Code Crafting:\u003c/strong\u003e The attacker prepares a malicious Python code payload designed to execute arbitrary commands on the target system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthenticated Code Execution Request:\u003c/strong\u003e Using the newly acquired SUPERUSER token for authentication, the attacker sends an HTTP POST request to the \u003ccode\u003e/api/v1/validate/code\u003c/code\u003e endpoint. The malicious Python code payload is embedded within this request, likely in the request body or specific query parameters.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCode Injection and Execution:\u003c/strong\u003e The \u003ccode\u003e/api/v1/validate/code\u003c/code\u003e endpoint, lacking proper input validation and sanitization, directly executes the provided Python code using the \u003ccode\u003eexec()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Code Execution:\u003c/strong\u003e The attacker's arbitrary commands are executed on the underlying operating system, resulting in full Remote Code Execution (RCE).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePost-Exploitation:\u003c/strong\u003e The attacker gains complete control over the Langflow server, potentially leading to data exfiltration, system compromise, or further lateral movement within the victim's network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-9198 leads to immediate and complete compromise of the affected IBM Langflow OSS instance. This allows unauthenticated attackers to execute arbitrary code on the server, granting them full control over the system. The impact includes severe data breaches, disruption of services, and the ability for attackers to establish persistence or pivot to other systems within the network. Since Langflow instances can manage critical AI/LLM workflows and sensitive data, the compromise could expose proprietary models, training data, and intellectual property, leading to significant financial and reputational damage for affected organizations. The vulnerability affects all default deployments of Langflow OSS versions 1.0.0 through 1.10.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-9198:\u003c/strong\u003e Immediately apply patches or upgrade IBM Langflow OSS to a version beyond 1.10.0 that addresses CVE-2026-9198. Refer to the IBM security advisory at \u003ccode\u003ehttps://www.ibm.com/support/pages/node/7278927\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rule:\u003c/strong\u003e Deploy the provided Sigma rule \u003ccode\u003eDetects CVE-2026-9198 Exploitation - Langflow OSS RCE Attempt\u003c/code\u003e to your SIEM and tune for your environment to detect suspicious activity related to the \u003ccode\u003e/api/v1/validate/code\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEnable webserver logging:\u003c/strong\u003e Ensure comprehensive webserver logging is enabled, capturing \u003ccode\u003ecs-uri-stem\u003c/code\u003e, \u003ccode\u003ecs-uri-query\u003c/code\u003e, \u003ccode\u003ecs-method\u003c/code\u003e, and ideally, relevant portions of POST request bodies, to activate and enhance the effectiveness of the detection rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T18:19:09Z","date_published":"2026-07-17T18:18:35Z","id":"https://feed.craftedsignal.io/briefs/2026-07-ibm-langflow-oss-rce/","summary":"Unauthenticated attackers can achieve Remote Code Execution (RCE) on default IBM Langflow OSS deployments, versions 1.0.0 through 1.10.0, by chaining access to the `/api/v1/auto_login` endpoint, which mints SUPERUSER tokens, with the `/api/v1/validate/code` endpoint, which executes user-supplied code via `exec()`.","title":"IBM Langflow OSS Unauthenticated Remote Code Execution via Chained API Endpoints (CVE-2026-9198)","url":"https://feed.craftedsignal.io/briefs/2026-07-ibm-langflow-oss-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Langflow OSS \u003c= 1.10.0","version":"https://jsonfeed.org/version/1.1"}