### Critical Vulnerability Information - **CVE ID**: CVE-2026-0772 - **CVSS Score**: 7.5, AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H - **Affected Vendors**: Langflow - **Affected Products**: Langflow - **Vulnerability Details**: - **Description**: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is required to exploit this vulnerability. - **Cause**: The specific flaw exists within the disk cache service due to the lack of proper validation of user-supplied data, leading to deserialization of untrusted data. - **Impact**: An attacker can leverage this vulnerability to execute code in the context of the service account. - **Mitigation**: The only salient mitigation strategy is to restrict interaction with the product. - **Additional Details**: - 08/21/25 - ZDI submitted the report to the vendor's GitHub account - 09/15/25 - ZDI asked for updates - 09/24/25 - ZDI asked for the fix - 12/10/25 - ZDI notified the vendor of the intention to publish the case as a 0-day advisory - **Disclosure Timeline**: - 2025-08-21 - Vulnerability reported to vendor - 2026-01-09 - Coordinated public release of advisory - 2026-01-09 - Advisory Updated - **Credit**: Peter Girnus (@gothburz), Brandon Niemczyk of Trend Zero Day Initiative