What happened
A vulnerability in langflow-ai/langflow up to version 1.9.3 allows code injection via the Bundle URL Loader component. The attack requires local access. The vendor did not respond to responsible disclosure. CVSS 5.3 Medium; published 2026-06-22. A PoC writeup is available on GitHub.
Why it matters
Langflow is a widely deployed visual LLM workflow builder. The Bundle URL Loader is used to load custom components at startup. Code injection here means a malicious bundle URL (e.g., embedded in a shared Langflow configuration or flow file) can execute arbitrary code in the Langflow process at startup, compromising the entire AI pipeline and any credentials or API keys loaded in the environment.
Attack vector
Local attacker (or remote attacker who can influence Langflow configuration) supplies a malicious bundle URL to the Bundle URL Loader, achieving code injection at startup.
Affected systems
langflow-ai/langflow ≤ 1.9.3
Mitigation
Upgrade Langflow to a version beyond 1.9.3. NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-12822; PoC: https://github.com/dxz0069/softwareoverflow/blob/main/langflow_bundle_url_custom_component_startup_rce_vulndb.md