Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-9135— Policies Component Dynamic CodeInput Fields Bypass Custom Component Validation

CVSS 9.9 · Critical

Affected Version Matrix 1

VendorProductVersion RangeStatus
IBMLangflow OSS1.0.0≤ 1.10.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-9135

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Policies Component Dynamic CodeInput Fields Bypass Custom Component Validation
Source: NVD (National Vulnerability Database)
Vulnerability Description
IBM Langflow OSS 1.0.0 through 1.10.0 Langflow versions up to 1.9.2 (commit 94981c443d4918517b9e8163d70fc598dc33a32d) contain a code injection vulnerability in the Policies component's ToolGuard integration that bypasses the allow_custom_components=false security control. The vulnerability exists because the validation mechanism only checks the main component source code in node_template["code"]["value"] but fails to validate dynamic CodeInput fields that store generated ToolGuard Python files. Attackers can embed malicious Python code in these unvalidated dynamic fields, which are persisted in Flow.data and later executed server-side when a guarded tool is invoked through the ToolGuard runtime. This allows authenticated users with flow creation privileges to achieve arbitrary Python code execution on the backend despite custom component restrictions. The vulnerability can be escalated through cross-tenant flow manipulation via the agentic MCP update_flow_component_field tool, which accepts attacker-controlled user_id parameters, enabling attackers to inject malicious code into victim users' flows. When combined with publicly accessible flows and specific misconfigurations (AUTO_LOGIN=true, NEW_USER_IS_ACTIVE=true), the attack can be conducted with reduced authentication requirements.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
IBMLangflow OSS 1.0.0 ~ 1.10.0 cpe:2.3:a:ibm:langflow_oss:1.0.0:*:*:*:*:*:*:*

II. Public POCs for CVE-2026-9135

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-9135

登录查看更多情报信息。

Other References for CVE-2026-9135 (1)

Same Patch Batch · IBM · 2026-07-17 · 34 CVEs total

CVE-2026-88599.9 CRITICALPath Traversal in APIRequest Component via Content-Disposition Header
CVE-2026-86359.9 CRITICALArbitrary Code Execution in Python Interpreter Component
CVE-2026-84819.9 CRITICALRemote Code Execution via Code Validation Endpoint
CVE-2026-84769.9 CRITICALDisk Cache Deserialization Remote Code Execution Vulnerability
CVE-2026-134469.8 CRITICALLangflow is affected by remote code execution, denial of service, path traversal, and expo
CVE-2026-92029.8 CRITICALUnauthenticated User Registration Could Lead to Remote Code Execution
CVE-2026-91989.8 CRITICALUnauthenticated Remote Code Execution via Auto-Login Bypass and Code Validation
CVE-2026-91039.8 CRITICALUnauthenticated Superuser Token Issuance via Auto-Login Endpoint
CVE-2026-85059.8 CRITICALAuthentication Bypass in Webhook Endpoints Allowed Unauthorized Flow Execution
CVE-2026-150919.3 CRITICALMultiple Vulnerabilities in IBM Engineering AI hub.
CVE-2026-76678.8 HIGHPath Traversal Vulnerability in API Request Component Content-Disposition Header Processin
CVE-2026-80568.8 HIGHParameter Injection Vulnerability in API Graph Execution Engine
CVE-2026-77558.8 HIGHMCP Server Configuration Validator Bypass via File Upload API
CVE-2026-144998.8 HIGHLangflow is affected by remote code execution, denial of service, path traversal, and expo
CVE-2026-134458.1 HIGHLangflow is affected by remote code execution, denial of service, path traversal, and expo
CVE-2026-134488.1 HIGHLangflow is affected by remote code execution, denial of service, path traversal, and expo
CVE-2026-134738.1 HIGHIBM Storage Protect Client is vulnerable to Heap-Based Buffer Overflow
CVE-2026-97627.8 HIGHIBM® Data Server driver for JDBC and SQLJ is vulnerable to remote code execution when jdbc
CVE-2026-77547.7 HIGHSSRF Protection Configuration Vulnerability
CVE-2026-78727.5 HIGHPath Traversal Vulnerability in File Component Leading to Arbitrary File Read and Authenti

Showing top 20 of 34 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

V. Comments for CVE-2026-9135

No comments yet


Leave a comment