High severityOSV Advisory· Published Jan 23, 2026· Updated Feb 26, 2026

Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability

CVE-2026-0770

Description

Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
langflowPyPI	<= 1.7.3	—

Affected products

Langflow Ai/LangflowOSV
Range: 1.1.2, 1.1.3, 1.1.4, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-g22f-v6f7-2hrhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-0770ghsaADVISORY
www.zerodayinitiative.com/advisories/ZDI-26-036/mitrex_research-advisory
www.zerodayinitiative.com/advisories/ZDI-26-036ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.009
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000