What happened
Prior to Langflow 1.9.2, the 'Shareable Playground' (Public Flows) feature allows unauthenticated users to execute workflows by calling /api/v1/run/{flow_id}/public with a public flow's ID. Because flows can contain arbitrary Python code execution nodes (e.g., Python Code component), any unauthenticated internet-accessible request that triggers such a flow achieves remote code execution on the server. The NVD seed confirms CVSS 9.6 Critical, published 2026-06-23.
Why it matters
Langflow is widely deployed for building production AI agent pipelines. A public-facing Langflow instance with any shared flow becomes immediately exploitable for RCE without any credentials — an attacker can exfiltrate model secrets, API keys, training data, and pivot to the underlying AI infrastructure. VentureBeat confirmed ~7,000 Langflow servers were actively under attack in the same disclosure window.
Attack vector
Unauthenticated HTTP POST to /api/v1/run/{flow_id}/public triggers execution of attacker-influenced flow nodes including arbitrary Python code components
Affected systems
Langflow < 1.9.2
Mitigation
Upgrade to Langflow 1.9.2+. Disable public/shared flows if upgrade is not immediately possible. Advisory: https://github.com/langflow-ai/langflow/security/advisories/GHSA-v5ff-9q35-q26f