CVE-2026-0771 HIGH

CVE-2026-0771: Langflow PythonFunction Code Injection Remote Code Execution Vulnerability

Vendor Langflow

Product Langflow

Weakness CWE-94 · Code injection

Published January 23, 2026

Last update February 26, 2026

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

Description

Langflow PythonFunction Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Attack vectors and exploitability will vary depending on the configuration of the product. The specific flaw exists within the handling of Python function components. Depending upon product configuration, an attacker may be able to introduce custom Python code into a workflow. An attacker can leverage this vulnerability to execute code in the context of the application. Was ZDI-CAN-27497.

Key dates

Disclosure timeline

January 23, 2026 CVE published

February 26, 2026 Record updated