关键漏洞信息 CVE ID: CVE-2026-0772 CVSS Score: 7.5, AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H Affected Vendors: Langflow Affected Products: Langflow Vulnerability Details: - Description: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is required to exploit this vulnerability. - Cause: The specific flaw exists within the disk cache service due to the lack of proper validation of user-supplied data, leading to deserialization of untrusted data. - Impact: An attacker can leverage this vulnerability to execute code in the context of the service account. - Mitigation: The only salient mitigation strategy is to restrict interaction with the product. Additional Details: - 08/21/25 - ZDI submitted the report to the vendor's GitHub account - 09/15/25 - ZDI asked for updates - 09/24/25 - ZDI asked for the fix - 12/10/25 - ZDI notified the vendor of the intention to publish the case as a 0-day advisory Disclosure Timeline: - 2025-08-21 - Vulnerability reported to vendor - 2026-01-09 - Coordinated public release of advisory - 2026-01-09 - Advisory Updated Credit: Peter Girnus (@gothburz), Brandon Niemczyk of Trend Zero Day Initiative