PatchSiren cyber security CVE debrief
CVE-2026-9135 IBM CVE debrief
IBM Langflow OSS 1.0.0 through 1.10.0 Langflow versions up to 1.9.2 (commit 94981c443d4918517b9e8163d70fc598dc33a32d) contain a code injection vulnerability in the Policies component's ToolGuard integration that bypasses the allow_custom_components=false security control. This vulnerability allows authenticated users with flow creation privileges to execute arbitrary Python code on the backend, potentially leading to a complete system compromise. The vulnerability is highly critical, with a CVSS score of 9.9, and requires immediate attention from administrators and users of affected Langflow versions.
- Vendor
- IBM
- Product
- Langflow OSS
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Authenticated users with flow creation privileges, administrators of IBM Langflow OSS, users of Langflow versions up to 1.9.2, and security teams responsible for monitoring and protecting against potential code injection attacks should be aware of this vulnerability. Additionally, operators and platform administrators may need to review and update their deployments to prevent exploitation.
Technical summary
The vulnerability exists because the validation mechanism only checks the main component source code in node_template[code][value] but fails to validate dynamic CodeInput fields that store generated ToolGuard Python files. Attackers can embed malicious Python code in these unvalidated dynamic fields, which are persisted in Flow.data and later executed server-side when a guarded tool is invoked through the ToolGuard runtime. This allows for arbitrary Python code execution on the backend, despite custom component restrictions.
Defensive priority
High
Recommended defensive actions
- Restrict flow creation privileges to trusted users
- Implement additional validation for dynamic CodeInput fields
- Monitor for suspicious activity in flow execution
- Update to Langflow version 1.9.3 or later
- Disable allow_custom_components=false security control if not required
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The vulnerability can be escalated through cross-tenant flow manipulation via the agentic MCP update_flow_component_field tool, which accepts attacker-controlled user_id parameters, enabling attackers to inject malicious code into victim users' flows. This escalation vector highlights the importance of securing flow management interfaces and ensuring that only authorized users can modify flow components.
Official resources
-
CVE-2026-9135 CVE record
CVE.org
-
CVE-2026-9135 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T19:17:19.390Z and has not been modified since then.