CVE Tools
Back to feed
Daily CyberSecurity (securityonline.info) ·EN-US News source

Critical Langflow Flaws Allow Unauthenticated Remote Code Execution

·2 min read
CVE Tools coverage

IBM disclosed two critical security issues in IBM Langflow OSS that can be triggered without authentication, including remote code execution in PythonREPLComponent via Builtins Injection (CVE-2026-10561) and an authorization bypass in the MCP transport endpoint (CVE-2026-7664). Both problems allow attackers to reach privileged functionality when instances expose the affected endpoints, making public-facing deployments especially risky. The report notes no confirmed exploitation so far, but it urges upgrading Langflow OSS to version 1.9.4 to remediate.