PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9135 IBM CVE debrief

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow versions up to 1.9.2 (commit 94981c443d4918517b9e8163d70fc598dc33a32d) contain a code injection vulnerability in the Policies component's ToolGuard integration that bypasses the allow_custom_components=false security control. This vulnerability allows authenticated users with flow creation privileges to execute arbitrary Python code on the backend, potentially leading to a complete system compromise. The vulnerability is highly critical, with a CVSS score of 9.9, and requires immediate attention from administrators and users of affected Langflow versions.

Vendor
IBM
Product
Langflow OSS
CVSS
CRITICAL 9.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Authenticated users with flow creation privileges, administrators of IBM Langflow OSS, users of Langflow versions up to 1.9.2, and security teams responsible for monitoring and protecting against potential code injection attacks should be aware of this vulnerability. Additionally, operators and platform administrators may need to review and update their deployments to prevent exploitation.

Technical summary

The vulnerability exists because the validation mechanism only checks the main component source code in node_template[code][value] but fails to validate dynamic CodeInput fields that store generated ToolGuard Python files. Attackers can embed malicious Python code in these unvalidated dynamic fields, which are persisted in Flow.data and later executed server-side when a guarded tool is invoked through the ToolGuard runtime. This allows for arbitrary Python code execution on the backend, despite custom component restrictions.

Defensive priority

High

Recommended defensive actions

  • Restrict flow creation privileges to trusted users
  • Implement additional validation for dynamic CodeInput fields
  • Monitor for suspicious activity in flow execution
  • Update to Langflow version 1.9.3 or later
  • Disable allow_custom_components=false security control if not required
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The vulnerability can be escalated through cross-tenant flow manipulation via the agentic MCP update_flow_component_field tool, which accepts attacker-controlled user_id parameters, enabling attackers to inject malicious code into victim users' flows. This escalation vector highlights the importance of securing flow management interfaces and ensuring that only authorized users can modify flow components.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T19:17:19.390Z and has not been modified since then.