# [CRIT] [GHSA / CRITICAL] CVE-2026-48519: Langflow: Unauthenticated RCE in Shareable Playgrounds **Source:** GitHub Security Advisories **Published:** 2026-06-16 **Article:** https://github.com/advisories/GHSA-v5ff-9q35-q26f ## Threat Profile Langflow: Unauthenticated RCE in Shareable Playgrounds ### Summary The "Shareable Playground" (or "Public Flows" in code) contains a critical RCE vulnerability. Simply sharing a flow exposes the deployment to RCE risk by authenticated users. Tested on commit 2d67402b1dbaefcbce85a244d4a6cd5e4bda1cfe ### Details Shareable Playground feature works by enabling the execution of workflows by unauthenticated users, by accessing a link. Specifically, it enables the route `/api/v1/build_public_tmp` to… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-48519` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1059.006** — Command and Scripting Interpreter: Python - **T1595.002** — Active Scanning: Vulnerability Scanning - **T1059.004** — Command and Scripting Interpreter: Unix Shell ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Langflow CVE-2026-48519: POST to /api/v1/build_public_tmp with embedded Python code `UC_34_2` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime values(Web.http_user_agent) as user_agents values(Web.status) as statuses from datamodel=Web where Web.url="*/api/v1/build_public_tmp*" Web.http_method IN ("POST","PUT") by Web.src, Web.dest, Web.url, Web.http_method | `drop_dm_object_name(Web)` | where like(url,"%/api/v1/build_public_tmp%") | rename src as src_ip, dest as langflow_host | sort - lastTime ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(7d) | where RemoteUrl has "/api/v1/build_public_tmp" or AdditionalFields has "/api/v1/build_public_tmp" | project Timestamp, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, InitiatingProcessAccountName | order by Timestamp desc ``` ### Langflow exploit reconnaissance: clustered errors against /api/v1/build_public_tmp `UC_34_3` · phase: **recon** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count as error_count values(Web.status) as statuses values(Web.http_user_agent) as user_agents values(Web.url) as urls min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url="*/api/v1/build_public_tmp*" Web.status>=400 by Web.src, Web.dest, span=10m | `drop_dm_object_name(Web)` | where error_count >= 10 | rename src as src_ip, dest as langflow_host | sort - lastTime ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(1d) | where RemoteUrl has "/api/v1/build_public_tmp" | summarize HitCount = count(), Hosts = make_set(DeviceName, 10), Procs = make_set(InitiatingProcessFileName, 5) by RemoteIP, bin(Timestamp, 10m) | where HitCount >= 10 | order by Timestamp desc ``` ### Langflow Python runtime spawning shell/subprocess children (post-exploit RCE) `UC_34_4` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name IN ("python","python3","python.exe","uvicorn","gunicorn") OR Processes.parent_process="*langflow*") (Processes.process_name IN ("sh","bash","dash","zsh","cmd.exe","powershell.exe","pwsh","touch","curl","wget","nc","ncat","socat","chmod","base64") OR Processes.process IN ("*/tmp/pwned*","*touch /tmp/*","*touch /dev/shm/*","*bash -i*","*sh -c*")) by Processes.dest, Processes.user, Processes.parent_process_name, Processes.parent_process, Processes.process_name, Processes.process | `drop_dm_object_name(Processes)` | sort - lastTime ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("python","python3","python.exe","uvicorn","gunicorn") or InitiatingProcessCommandLine has_any ("langflow","build_public_tmp") | where FileName in~ ("sh","bash","dash","zsh","cmd.exe","powershell.exe","pwsh.exe","touch","curl","wget","nc","ncat","socat","chmod","base64") or ProcessCommandLine has_any ("/tmp/pwned","touch /tmp/","touch /dev/shm","bash -i","sh -c","-c \"import os\"","socket.socket","subprocess.Popen","os.system") | project Timestamp, DeviceName, AccountName, ParentImage = InitiatingProcessFolderPath, ParentCmd = InitiatingProcessCommandLine, ChildImage = FolderPath, ChildCmd = ProcessCommandLine, SHA256 | order by Timestamp desc ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-48519: Langflow: Unauthenticated RCE in Shareable Pla `UC_34_1` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-48519: Langflow: Unauthenticated RCE in Shareable Pla ``` | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/tmp/pwned*") by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-48519: Langflow: Unauthenticated RCE in Shareable Pla // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/tmp/pwned")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-48519` ## Why this matters Severity classified as **CRIT** based on: CVE present, 5 use case(s) fired, 5 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.