Vulnerability  ·  2026-07-18

IBM Langflow OSS ToolGuard Policy Bypass Enables Code Injection (CVE-2026-9135)

VulnerabilityHigh impactGlobalCVE-2026-9135
IBM Langflow OSS versions 1.0.0 through 1.10.0 (up to commit 94981c443d4918517b9e8163d70fc598dc33a32d, prior to 1.9.2) contain a code injection vulnerability in the Policies component's ToolGuard integration that bypasses the allow_custom_components=false security control, which administrators use to disable execution of custom Python components in controlled deployments. NVD published this CVE on 2026-07-17 with CVSS 9.9 (Critical).
Langflow is one of the most widely deployed open-source AI agent/workflow-building platforms (145,000+ GitHub stars) and has a documented history of actively-exploited unauthenticated RCE (CVE-2025-3248, CVE-2026-33017, both added to CISA KEV and exploited by botnets within hours of disclosure). This new flaw defeats the specific hardening control (LANGFLOW_ALLOW_CUSTOM_COMPONENTS) administrators use to prevent exactly this class of code-execution attack, meaning organizations that believed they had mitigated prior Langflow RCE risk via this control remain exposed.
Abuse of the Policies/ToolGuard component to inject and execute code despite allow_custom_components=false being set, bypassing the intended custom-component execution block
IBM Langflow OSS 1.0.0 through 1.10.0 (up to 1.9.2)
Upgrade to a patched Langflow OSS release beyond 1.10.0/commit 94981c4; see IBM advisory
IBM Support — Security Bulletin CVE-2026-9135NVD CVE-2026-9135
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →