High severity8.8NVD Advisory· Published Apr 29, 2026· Updated Apr 30, 2026

CVE-2026-7466

Description

AgentFlow contains an arbitrary code execution vulnerability that allows attackers to execute local Python pipeline files by supplying a user-controlled pipeline_path parameter to the POST /api/runs and POST /api/runs/validate endpoints. Attackers can induce requests to the local AgentFlow API to load and execute existing Python pipeline files on disk, resulting in code execution in the context of the user running AgentFlow.

Affected products

Berabuddies/Agentflowreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/berabuddies/agentflow/pull/18nvd
github.com/berabuddies/agentflow/pull/18/changes/7e61b6ce846b3d700456e4874394dc868905a9f2nvd
www.vulncheck.com/advisories/agentflow-arbitrary-python-pipeline-execution-via-pipeline-pathnvd

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000