CVE-2026-13448
IBM Langflow OSS 1.0.0 through 1.10.1 Lanflow OSS contains an unauthenticated remote code execution vulnerability in the public flow build e
CVSS
8.1
High
EPSS
—
KEV
—
Exploit Today
—
0-100
Published: Jul 17, 2026 · Last modified: Jul 17, 2026
Not enough EPSS history yet.
IBM Langflow OSS 1.0.0 through 1.10.1 Lanflow OSS contains an unauthenticated remote code execution vulnerability in the public flow build endpoint ( /api/v1/build_public_tmp/{flow_id}/flow ). The vulnerability stems from an incomplete denylist in the validate_public_flow_no_code_execution() function that fails to block several code-execution agent components including OpenDsStarAgent, CodeActAgentSmolagents, and CSVAgent.
No related CVEs by CWE or product.