Langflow validate endpoint exec_globals Remote Code Execution

This repository contains a single standalone Python exploit script, CVE-2026-0770.py, targeting Langflow versions prior to 1.3.0. The script is a real exploit rather than a detector: it obtains an API bearer token either by posting credentials to /api/v1/login or, if available, by abusing /api/v1/auto_login, then sends attacker-controlled Python source to /api/v1/validate/code. The payload abuses unsafe code execution in Langflow's validate_code functionality by embedding a subprocess.run() call inside a function default argument, causing arbitrary shell command execution on the server. Output is captured and surfaced back to the attacker by intentionally raising an exception containing stdout/stderr, which the script then prints from the returned JSON error structure. Repository structure is minimal: one Python file using argparse for CLI handling, httpx for HTTP requests, asyncio for async execution, and json for response parsing. Main capability is remote command execution against exposed Langflow instances on port 7860, with support for both unauthenticated exploitation via auto-login and authenticated exploitation with supplied credentials.

Small standalone exploit repository containing one Python PoC script (exp_v3.py), a README, and a license. The script targets CVE-2026-0770 in Langflow by sending attacker-controlled Python code to the /api/v1/validate/code endpoint. It is not merely a detector: it builds a payload that invokes subprocess.run(shell=True) with an operator-supplied command, captures stdout/stderr, and forces the output into an exception string delimited by CMD_OUTPUT_START/CMD_OUTPUT_END so the client can parse it from the HTTP response. The exploit supports an optional JWT token via -k/--token; otherwise it first attempts authentication to /api/v1/login using hardcoded default credentials langflow/langflow and, if successful, adds a Bearer token to the exploit request. CLI options allow specifying the target URL, direct command string, or reading the command from a local file. Repository structure is minimal and purpose-built for exploitation rather than scanning or framework integration. Overall capability is authenticated-or-default-credential-assisted remote command execution against vulnerable Langflow instances, with returned command output displayed to the operator.

This repository contains a compact exploit set for CVE-2026-0770 affecting Langflow. There are three files: a standalone Python PoC, a Nuclei template, and a README. Because the repository includes a Nuclei template, it belongs to a framework; the main exploit logic is concentrated in CVE-2026-0770.yaml, with the Python script providing equivalent standalone exploitation. The exploit targets Langflow's validation API, specifically POST /api/v1/validate/code. The core technique is to send attacker-controlled Python source in the code field, relying on unsafe exec()-based evaluation. The payload abuses Python default-argument evaluation so that subprocess.run() executes immediately when the function definition is processed. Output is forced into an exception string prefixed with OUTPUT:, allowing the attacker to recover stdout/stderr from the API response. The Nuclei template performs two requests: first POST /api/v1/login with username=langflow and password=langflow to obtain an access token, then POST /api/v1/validate/code with a Bearer token and a hardcoded payload running cat /etc/passwd. Matchers confirm exploitation by checking for HTTP 200, the marker OUTPUT:, and passwd content such as root:x:0:0:root. This makes the template both an exploit and a verification artifact, not merely a detector. The Python PoC is more flexible: it accepts a target URL, optional JWT token, and arbitrary command string (default id && whoami). If no token is provided, it attempts the same default-credential login flow. Successful exploitation yields arbitrary command execution on the remote Langflow host, potentially with high privileges depending on how Langflow is deployed.

Repository purpose: Proof-of-concept exploit for CVE-2026-0770 affecting Langflow, achieving remote code execution by sending attacker-controlled Python to the Langflow validation endpoint that is executed via exec() (per README/template). Structure (5 files): - CVE-2026-0770.py: Main Python exploit tool. Implements (1) optional auto-login to /api/v1/login using default creds langflow/langflow to obtain a JWT access_token, then (2) POSTs a crafted Python payload to /api/v1/validate/code. The payload triggers command execution at function-definition time using a default argument that calls subprocess.run(command, shell=True, capture_output=True, text=True). Output is embedded into an Exception message ("OUTPUT:\n...") via a generator throw(), enabling the client to parse stdout/stderr from the server response. Supports single-command mode (-c) and an interactive shell mode (not fully shown due to truncation), plus verbose logging and optional user-supplied token (-k). Also writes local command history to ~/.langflow_history. - CVE-2026-0770.yaml: Nuclei template (detection/verification) that performs two HTTP requests: login to extract access_token, then exploit validate/code with a fixed command (cat /etc/passwd). Matchers look for "root:x:0:0:root" and "OUTPUT:" with HTTP 200 to confirm RCE. - README.md: Usage instructions, affected endpoint (/api/v1/validate/code), notes about AUTO_LOGIN=true default behavior, and mitigation guidance. - LICENSE: MIT. - .gitignore: Standard Python ignores. Exploit capabilities: network-based RCE against Langflow instances exposing the API; can operate with default credentials (auto-login) or a provided JWT; returns command output; provides interactive command execution convenience. No persistence or lateral movement logic is present beyond arbitrary command execution.

Repository contains a PoC exploit for alleged CVE-2026-0770 affecting Langflow. Structure is minimal: README.md (vuln description, affected endpoints, and technique) and poc.py (working exploit script). poc.py is a Python network exploit using the requests library. It targets a Langflow HTTP API and attempts to obtain a JWT by POSTing to /api/v1/login with default credentials (langflow/langflow) when the user does not supply a token, relying on the README’s claim that AUTO_LOGIN=true by default. It then POSTs JSON to /api/v1/validate/code with a crafted Python payload. Core capability: remote code execution. The payload leverages the fact that the vulnerable server-side validate_code() executes submitted function definitions via exec(). The PoC embeds command execution inside a function default argument so it runs at definition time. To exfiltrate output, it captures stdout/stderr from subprocess.run(..., shell=True, capture_output=True, text=True) and raises an exception containing the output using a generator expression’s .throw(), which is an expression and can be used inside the default argument. The script then parses the API’s returned error structure (response.function.errors) to extract the "OUTPUT:" marker and print command output. README.md also lists additional potentially vulnerable endpoints (/api/v1/custom_component, /api/v1/custom_component/update, /api/v1/webhook/{flow_id}, /api/v1/build_public_tmp/{flow_id}/flow) and other related CVEs, but the provided code only exploits /api/v1/validate/code.