High severityOSV Advisory· Published Jan 23, 2026· Updated Feb 26, 2026
Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability
CVE-2026-0770
Description
Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
langflowPyPI | <= 1.7.3 | — |
Affected products
2- Range: 1.1.2, 1.1.3, 1.1.4, …
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-g22f-v6f7-2hrhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-0770ghsaADVISORY
- www.zerodayinitiative.com/advisories/ZDI-26-036/mitrex_research-advisory
- www.zerodayinitiative.com/advisories/ZDI-26-036ghsaWEB
News mentions
2- Path traversal flaw in AI dev platform Langflow exploited in attacksBleepingComputer · Jun 10, 2026
- Langflow Vulnerability CVE-2026-5027 Exploited for Unauthenticated RCEThe Hacker News · Jun 10, 2026