CVE-2026-8481
CRITICAL
NVD
CVSS Score
9.9
Severity
CRITICAL
Published
Jul 17, 2026
Vendor
unknown
Description
IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution vulnerability in the code validation API endpoint. The POST /api/v1/validate/code endpoint accepts user-supplied Python code and executes it directly using Python's built-in exec() function without sandboxing, input validation, or privilege restrictions, enabling any authenticated user to execute arbitrary system commands with the full privileges of the Langflow server process.