CVE-2026-48519: Langflow: Unauthenticated RCE in Shareable Playgrounds

June 16, 2026

The “Shareable Playground” (or “Public Flows” in code) contains a critical RCE vulnerability. Simply sharing a flow exposes the deployment to RCE risk by authenticated users.

Tested on commit 2d67402b1dbaefcbce85a244d4a6cd5e4bda1cfe

References

github.com/advisories/GHSA-v5ff-9q35-q26f
github.com/langflow-ai/langflow/security/advisories/GHSA-v5ff-9q35-q26f
nvd.nist.gov/vuln/detail/CVE-2026-48519

Code Behaviors & Features

Detect and mitigate CVE-2026-48519 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →