{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "POST /api/v1/build_public_tmp/{flow_id}/flow (stored-data bypass; no 'data' field in request body)",
  "bypass_strategy": "Store malicious CustomComponent code in a PUBLIC flow via POST /api/v1/flows/ (AUTO_LOGIN token), then trigger the unauthenticated public build which loads the stored flow from the DB and exec()'s the node code. v1.9.0 validate_flow_for_current_settings is a no-op under default allow_custom_components=true.",
  "bypass_on_claimed_fixed_1_9_0": true,
  "bypass_on_followup_fixed_1_10_1": false,
  "runtime_stack": [
    "docker",
    "langflow",
    "fastapi"
  ],
  "proof_artifacts": [
    "logs/vuln_variant/result_claimed_fixed_1.json",
    "logs/vuln_variant/proof_claimed_fixed_1.txt",
    "logs/vuln_variant/container_claimed_fixed_1.log",
    "logs/vuln_variant/result_claimed_fixed_2.json",
    "logs/vuln_variant/proof_claimed_fixed_2.txt",
    "logs/vuln_variant/container_claimed_fixed_2.log",
    "logs/vuln_variant/result_followup_fixed_1.json",
    "logs/vuln_variant/container_followup_fixed_1.log",
    "logs/vuln_variant/result_followup_fixed_2.json",
    "logs/vuln_variant/container_followup_fixed_2.log"
  ],
  "notes": "Bypass confirmed: stored-custom-component RCE reproduces on the CVE 'fixed' langflow:1.9.0 (proof written) and is closed by the v1.10.1 follow-up fix (no proof)."
}
