{
  "variant_outcome": "confirmed",
  "claim_block_reason": null,
  "validated_surface": "api_remote",
  "observed_impact_class": "code_execution",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "PUBLIC flow stored data containing a CustomComponent node with a top-level _rce=os.system(...) payload (created via POST /api/v1/flows/ with an AUTO_LOGIN superuser token)",
  "trigger_path": "POST /api/v1/flows/ (store malicious PUBLIC flow) -> POST /api/v1/build_public_tmp/{flow_id}/flow (no data) -> start_flow_build(data=None, source_flow_id) -> build_graph_from_db -> Graph.from_payload -> create_class -> prepare_global_scope -> exec",
  "bypass_on_claimed_fixed_1_9_0": true,
  "bypass_on_followup_fixed_1_10_1": false,
  "notes": "Bypass confirmed: stored-custom-component RCE reproduces on the CVE 'fixed' langflow:1.9.0 (proof written) and is closed by the v1.10.1 follow-up fix (no proof)."
}
