langflow-ai langflow Bundle URL Loader code injection
Description
A vulnerability was identified in langflow-ai langflow up to 1.9.3. This affects an unknown function of the component Bundle URL Loader. The manipulation leads to code injection. The attack needs to be performed locally. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=1.9.3+ 1 more
- (no CPE)range: <=1.9.3
- (no CPE)range: <=1.9.3
Patches
Vulnerability mechanics
Root cause
"Langflow imports and executes Python code from remote custom component bundles without trust verification or sandboxing."
Attack vector
An attacker who can influence bundle URLs or a deployment template can supply a malicious remote archive containing a Python custom component. The Langflow server fetches the bundle, places the component on its search path, and imports the Python code during startup or bundle processing, which executes arbitrary module-level code [ref_id=1]. This is a code injection via untrusted code loading, corresponding to CWE-94 and CWE-829 [ref_id=1]. The attack is described as local in the CVE description, but the researcher notes the CVSS network vector suggests remote exploitation may be possible if bundle URLs are low-privilege configurable [ref_id=1].
Affected code
The vulnerability resides in Langflow's bundle URL loading mechanism and custom component discovery/import path. When a bundle URL is fetched, custom component files inside the archive are placed on component search paths and their Python code is imported during startup without any trust boundary or signature verification [ref_id=1].
What the fix does
No patch is available; the vendor did not respond to the disclosure [ref_id=1]. The researcher recommends not auto-importing remote custom component code, requiring explicit trust approval, signatures or allowlists, sandboxing component loading, and disabling remote bundle URLs by default in production [ref_id=1].
Preconditions
- configAbility to influence bundle URLs or a deployment template
- configThe Langflow server must be configured to load bundle URLs
- inputNo signature verification or trust boundary is enforced on fetched bundles
Generated on Jun 22, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- vuldb.com/cve/CVE-2026-12822mitrethird-party-advisory
- vuldb.com/submit/837582mitrethird-party-advisory
- github.com/dxz0069/softwareoverflow/blob/main/langflow_bundle_url_custom_component_startup_rce_vulndb.mdmitrerelated
- vuldb.com/vuln/372612mitrevdb-entry
- vuldb.com/vuln/372612/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.