AI & LLM Vulnerabilities

A code injection vulnerability (CVE-2026-7700) was found in langflow-ai langflow up to version 1.8.4, specifically in the eval function of the LambdaFilterComponent. The vulnerability allows attackers to execute arbitrary code remotely if they have login access, and a working exploit has been publicly released.

A command injection vulnerability (CWE-77, a flaw where attackers can insert malicious commands into input) was found in Langflow AI's langflow software up to version 1.8.4, specifically in the CodeParser.parse_callable_details function. An attacker with login credentials can remotely execute this vulnerability, and it has already been publicly disclosed. The vendor was notified but did not respond.

A vulnerability (CVE-2026-7669) was found in SGLang, an open-source project, affecting versions up to 0.5.9. The flaw is in the get_tokenizer function and allows deserialization (converting untrusted data into executable objects), which can be exploited remotely, though it requires high complexity to execute. The vulnerability has a CVSS score (a 0-10 severity rating) of 6.3, classified as medium severity.

ChatGPTNextWeb NextChat versions up to 2.16.1 contain a flaw in its Next.js API endpoint that allows attackers to manipulate a function and create a permissive cross-domain policy with untrusted domains (meaning the system accepts requests from any website, not just trusted ones). The attack can be launched remotely, an exploit has been published, but the project developers have not yet responded to the early notification.

IBM Langflow OSS (open-source software) versions 1.0.0 through 1.8.4 has a vulnerability where any user can view and delete other users' data by supplying a flow_id (a reference number for a workflow). This happens because the system doesn't properly check who should be allowed to access certain information, allowing unauthorized access to transaction logs and build data.

IBM Langflow Desktop version 1.8.4 and earlier has a path traversal vulnerability (CWE-22, a flaw that lets attackers access files outside intended directories) that allows remote attackers to view arbitrary files on a system by sending specially crafted URLs containing "dot dot" sequences (/../), which trick the system into navigating to restricted folders.

IBM Langflow Desktop versions 1.2.0 through 1.8.4 has a path traversal vulnerability (CVE-2026-4502) that allows an authenticated attacker to write arbitrary files on a system by sending specially crafted URL requests with "dot dot" sequences (/../, which move up directory levels). This affects users who are already logged into the application.

IBM Langflow Desktop versions 1.6.0 through 1.8.4 has a stored cross-site scripting vulnerability (XSS, a flaw where an attacker can inject malicious code that gets saved and executed in a web interface). An authenticated user can embed JavaScript code in the Web UI, which could alter how the application works and potentially expose user credentials to attackers who access the same session.

IBM Langflow Desktop versions 1.0.0 through 1.8.4 have a vulnerability called SSRF (server-side request forgery, where an attacker tricks the server into making requests it shouldn't). An authenticated attacker (someone with login access) could exploit this to send unauthorized requests from the system, potentially discovering network information or launching additional attacks.

OpenTelemetry's disk retry feature for OTLP (OpenTelemetry Protocol, a standard format for sending telemetry data) had a security flaw where it stored temporary blob files (serialized data chunks) in a shared system temp directory accessible to other user accounts on multi-user systems. This allowed attackers to inject fake telemetry data, read sensitive telemetry information, or cause performance problems by filling the directory with large files.

The Claude SDK for TypeScript had a security flaw where a tool called `BetaLocalFilesystemMemoryTool` created files and folders with overly permissive access settings (using Node.js defaults like `0o666` for files and `0o777` for directories, which control who can read or modify them). This meant that on shared computers or in containerized environments (like Docker), other users could read sensitive agent data or modify it to change how the AI behaves.

OpenClaw versions before 2026.4.15 had a security flaw where the webchat audio embedding feature could read local files from the host system without proper security checks. An attacker who could control the output of an agent or tool could trick the system into embedding audio files from the host into chat responses, bypassing the containment restrictions that protect other file-serving paths.