CVE-2026-48519 Overview
CVE-2026-48519 is a remote code execution vulnerability in Langflow, an open-source tool for building and deploying AI-powered agents and workflows. The flaw resides in the "Shareable Playground" feature, also referred to as "Public Flows" in the codebase. Prior to version 1.9.2, the /api/v1/build_public_tmp endpoint allows unauthenticated users to execute public flows using only a flow ID. The endpoint accepts arbitrary Python code through the data.nodes[X].data.node.template.code.value field in the JSON payload. The vulnerability maps to CWE-94: Improper Control of Generation of Code.
Critical Impact
Unauthenticated attackers can execute arbitrary Python code on Langflow servers exposing the Shareable Playground feature, leading to full server compromise.
Affected Products
- Langflow versions prior to 1.9.2
- Langflow deployments exposing the Shareable Playground feature
- Public Flows route /api/v1/build_public_tmp
Discovery Timeline
- 2026-06-23 - CVE-2026-48519 published to NVD
- 2026-06-24 - Last updated in NVD database
Technical Details for CVE-2026-48519
Vulnerability Analysis
Langflow's Shareable Playground feature is designed to let users share executable workflows via links, so unauthenticated visitors can run a flow without an account. The route /api/v1/build_public_tmp accepts a public flow ID and an associated JSON payload describing the nodes to execute. The server interprets the code.value field of each node as Python source code and executes it during flow construction. Because no authentication, authorization, or sandboxing is applied before execution, any attacker reaching the endpoint can run arbitrary code in the Langflow process context.
Root Cause
The root cause is unsafe code generation and execution from user-controlled input ([CWE-94]). The endpoint trusts JSON-supplied node templates and evaluates the embedded Python code without validation, allowlisting, or isolation. Combining unauthenticated access with dynamic code execution exposes the host to direct compromise.
Attack Vector
The attack vector is network-based and requires only that the Langflow instance exposes the Shareable Playground feature. An attacker identifies or guesses a valid public flow ID, then issues a crafted POST request to /api/v1/build_public_tmp containing malicious Python in the data.nodes[X].data.node.template.code.value field. When Langflow builds the flow, the payload executes on the server with the privileges of the Langflow process. See the GitHub Security Advisory GHSA-v5ff-9q35-q26f for full technical details.
Detection Methods for CVE-2026-48519
Indicators of Compromise
- Unexpected POST requests to /api/v1/build_public_tmp from external or untrusted sources.
- Outbound network connections from the Langflow process to attacker-controlled hosts.
- New Python processes, shells, or scheduled tasks spawned by the Langflow service account.
- JSON payloads containing suspicious content in the data.nodes[X].data.node.template.code.value field.
Detection Strategies
- Inspect web server and reverse-proxy logs for requests to the build_public_tmp route, especially from unauthenticated clients.
- Alert on Langflow processes spawning child processes such as sh, bash, curl, wget, or python -c.
- Apply application-layer filtering to detect Python keywords (import, os.system, subprocess) inside the code.value JSON field.
Monitoring Recommendations
- Forward Langflow application and access logs to a centralized analytics platform for retention and correlation.
- Monitor egress traffic from hosts running Langflow for connections to unexpected destinations.
- Track file system changes in the Langflow working directory and user home directories for new scripts or persistence artifacts.
How to Mitigate CVE-2026-48519
Immediate Actions Required
- Upgrade Langflow to version 1.9.2 or later, which contains the official fix.
- Disable the Shareable Playground or Public Flows feature on internet-exposed instances until patched.
- Restrict network access to Langflow with firewall rules, VPNs, or authenticated reverse proxies.
- Audit existing Langflow servers for signs of prior exploitation, including unexpected processes and outbound connections.
Patch Information
The vulnerability is fixed in Langflow 1.9.2. The patch removes the ability for unauthenticated callers to supply arbitrary Python code through the public flow execution endpoint. Refer to the GitHub Security Advisory GHSA-v5ff-9q35-q26f for advisory details and upgrade guidance.
Workarounds
- Block requests to /api/v1/build_public_tmp at the web application firewall or reverse proxy.
- Remove or disable any public flows until the host is upgraded to 1.9.2.
- Run Langflow as an unprivileged user inside an isolated container or namespace to limit blast radius if exploited.
# Example: block the vulnerable route at an Nginx reverse proxy until patched
location /api/v1/build_public_tmp {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

