CVE-2026-7466 HIGH

CVE-2026-7466: AgentFlow Arbitrary Python Pipeline Execution via pipeline_path

Vendor Berabuddies

Product AgentFlow

Weakness CWE-94 · Code injection

Published April 29, 2026

Last update April 30, 2026

View on NVD All CVEs

CVSS base score

7.7/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

Description

AgentFlow contains an arbitrary code execution vulnerability that allows attackers to execute local Python pipeline files by supplying a user-controlled pipeline_path parameter to the POST /api/runs and POST /api/runs/validate endpoints. Attackers can induce requests to the local AgentFlow API to load and execute existing Python pipeline files on disk, resulting in code execution in the context of the user running AgentFlow.

Key dates

Disclosure timeline

April 29, 2026 CVE published

April 30, 2026 Record updated