Vulnerability  ·  2026-07-18

IBM Langflow OSS Unauthenticated RCE via Incomplete Denylist on Public Flow Build Endpoint (CVE-2026-13448)

VulnerabilityHigh impactGlobalCVE-2026-13448
IBM Langflow OSS 1.0.0 through 1.10.1 contains an unauthenticated remote code execution vulnerability in the public flow build endpoint (/api/v1/build_public_tmp/{flow_id}/flow). The vulnerability stems from an incomplete denylist in the validate_public_flow_no_code_execution() function, meaning the endpoint (previously the target of the actively-exploited, KEV-listed CVE-2026-33017) still permits certain attacker-supplied code patterns to reach exec() without authentication. Published to NVD 2026-07-17, CVSS 8.1 (High).
This same endpoint class was the subject of CVE-2026-33017, which CISA added to KEV after attackers weaponized the advisory within 20 hours of disclosure and used it to harvest LLM provider API keys, AWS/cloud credentials, and deploy droppers on compromised instances. That the fix's denylist is incomplete means the same unauthenticated RCE class persists on a platform integrated directly into LLM provider APIs, internal databases, and cloud accounts across a huge population of AI agent deployments.
Unauthenticated POST to /api/v1/build_public_tmp/{flow_id}/flow with crafted flow data containing code that evades the validate_public_flow_no_code_execution() denylist, reaching unsandboxed exec()
IBM Langflow OSS 1.0.0 through 1.10.1
Apply IBM's fix beyond 1.10.1; restrict/remove public flow exposure where possible; see IBM Support bulletin
IBM Support — Security Bulletin CVE-2026-13448NVD CVE-2026-13448
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →