From 7cec14c84d992779145ced4480a963d541ff31c8 Mon Sep 17 00:00:00 2001 From: Mendon Kissling <59585235+mendonk@users.noreply.github.com> Date: Tue, 31 Mar 2026 11:25:19 -0400 Subject: [PATCH 1/3] initial-changes --- .../deployment-block-custom-components.mdx | 20 +++++++++++++++++++ docs/docs/Deployment/security.mdx | 9 ++++----- docs/docs/Develop/environment-variables.mdx | 1 + docs/docs/Support/release-notes.mdx | 12 +++++++++++ docs/sidebars.js | 5 +++++ 5 files changed, 42 insertions(+), 5 deletions(-) create mode 100644 docs/docs/Deployment/deployment-block-custom-components.mdx diff --git a/docs/docs/Deployment/deployment-block-custom-components.mdx b/docs/docs/Deployment/deployment-block-custom-components.mdx new file mode 100644 index 000000000000..0479cd2b99c0 --- /dev/null +++ b/docs/docs/Deployment/deployment-block-custom-components.mdx @@ -0,0 +1,20 @@ +--- +title: Block custom components +slug: /deployment-block-custom-components +--- + +Custom components and the component code editor allow Langflow users to create and execute Python code in the Langflow runtime. +While this freedom is a feature of Langflow, in some deployments you may want to block the creation of custom Langflow components to prevent arbitrary code execution. + +To block custom component creation on a Langflow server, set the following [environment variable](/environment-variables): + +```bash +LANGFLOW_ALLOW_CUSTOM_COMPONENTS=false +``` + +When set to `false`, Langflow blocks creating custom components and changing code in the visual editor. + +When unset or `true`, Langflow allows custom code. +Existing Langflow installations will keep the default `true` behavior until you opt in to this restriction. + +For more information, see [Security](/security). diff --git a/docs/docs/Deployment/security.mdx b/docs/docs/Deployment/security.mdx index 75121c0c247f..4a32a7747f10 100644 --- a/docs/docs/Deployment/security.mdx +++ b/docs/docs/Deployment/security.mdx @@ -3,10 +3,8 @@ title: Security slug: /security --- -The Langflow UI is an IDE and code execution platform, which means that Langflow is inherently capable of executing arbitrary, -developer-provided code. -By design, the Langflow UI includes a code editor allowing developers to author and execute arbitrary Python with full access to the host -Langflow backend process, filesystem, and network. +The Langflow UI is an IDE and code execution platform, which means that Langflow is inherently capable of executing arbitrary, developer-provided code. +By design, the Langflow UI includes a code editor allowing developers to author and execute arbitrary Python with full access to the host Langflow backend process, filesystem, and network. In addition, some components wrap and use code execution, including use of AI models to generate code to be executed based on user input. @@ -25,7 +23,8 @@ You are responsible for the following: Langflow is a code execution platform with full access to your local system. You are responsible for ensuring the safety of flows you execute. -In the event that Langflow could execute untrusted or LLM-generated code, consider using isolated or containerized execution environments. For more information, see [Containerize a Langflow application](/develop-application). +In the event that Langflow could execute untrusted or LLM-generated code, consider [blocking custom component execution](/deployment-block-custom-components) and running Langflow in an isolated and containerized execution environment. +For more information, see [Containerize a Langflow application](/develop-application). ## Secure first-party deployments diff --git a/docs/docs/Develop/environment-variables.mdx b/docs/docs/Develop/environment-variables.mdx index 9b5ed705b062..cba406c00e41 100644 --- a/docs/docs/Develop/environment-variables.mdx +++ b/docs/docs/Develop/environment-variables.mdx @@ -433,6 +433,7 @@ See [Telemetry](/contributing-telemetry). | `LANGFLOW_AUTO_SAVING_INTERVAL` | Integer | `1000` | Set the auto-save interval in milliseconds if `LANGFLOW_AUTO_SAVING=True`. | | `LANGFLOW_BUNDLE_URLS` | List[String] | `[]` | A list of URLs from which to load custom bundles. Supports GitHub URLs. If `LANGFLOW_AUTO_LOGIN=True`, flows from these bundles are loaded into the database. | | `LANGFLOW_COMPONENTS_PATH` | String | Not set | Path to a directory containing custom components. Typically used if you have local custom components or you are building a Docker image with custom components. | +| `LANGFLOW_ALLOW_CUSTOM_COMPONENTS` | Boolean | `True` | If `false`, disables custom components and in-editor editing of component code. For more information, see [Block custom components](/deployment-block-custom-components). | | `LANGFLOW_LOAD_FLOWS_PATH` | String | Not set | Path to a directory containing flow JSON files to be loaded on startup. Typically used when creating a Docker image with prepackaged flows. Requires `LANGFLOW_AUTO_LOGIN=True`. | | `LANGFLOW_CREATE_STARTER_PROJECTS` | Boolean | `True` | Whether to create templates during initialization. If `false`, Langflow doesn't create templates, and `LANGFLOW_UPDATE_STARTER_PROJECTS` is treated as `false`. | | `LANGFLOW_UPDATE_STARTER_PROJECTS` | Boolean | `True` | Whether to update templates with the latest component versions when initializing after an upgrade. | diff --git a/docs/docs/Support/release-notes.mdx b/docs/docs/Support/release-notes.mdx index 58248672091d..b93088372bb7 100644 --- a/docs/docs/Support/release-notes.mdx +++ b/docs/docs/Support/release-notes.mdx @@ -47,6 +47,18 @@ To avoid the impact of potential breaking changes and test new versions, the Lan If you made changes to your flows in the isolated installation, you might want to export and import those flows back to your upgraded primary installation so you don't have to repeat the component upgrade process. +## 1.9.x + +Highlights of this release include the following changes. +For all changes, see the [Changelog](https://github.com/langflow-ai/langflow/releases). + +### New features + +- Disable custom components + + Set `LANGFLOW_ALLOW_CUSTOM_COMPONENTS=false` to disable custom components and in-editor editing of component code. + For more information, see [Block custom components](/deployment-block-custom-components). + ## 1.8.x Highlights of this release include the following changes. diff --git a/docs/sidebars.js b/docs/sidebars.js index 091c787d822f..79a9cb1ef6e9 100644 --- a/docs/sidebars.js +++ b/docs/sidebars.js @@ -254,6 +254,11 @@ module.exports = { }, ] }, + { + type: "doc", + id: "Deployment/deployment-block-custom-components", + label: "Block custom components", + }, { type: "doc", id: "Deployment/security", From 0ad8632569c5f16b79d7af59e3f5620248fc4755 Mon Sep 17 00:00:00 2001 From: Mendon Kissling <59585235+mendonk@users.noreply.github.com> Date: Tue, 31 Mar 2026 11:52:31 -0400 Subject: [PATCH 2/3] fix-broken-links --- docs/docs/Deployment/security.mdx | 2 +- docs/docs/Develop/environment-variables.mdx | 2 +- docs/docs/Support/release-notes.mdx | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/docs/Deployment/security.mdx b/docs/docs/Deployment/security.mdx index 4a32a7747f10..7aca47fc6971 100644 --- a/docs/docs/Deployment/security.mdx +++ b/docs/docs/Deployment/security.mdx @@ -23,7 +23,7 @@ You are responsible for the following: Langflow is a code execution platform with full access to your local system. You are responsible for ensuring the safety of flows you execute. -In the event that Langflow could execute untrusted or LLM-generated code, consider [blocking custom component execution](/deployment-block-custom-components) and running Langflow in an isolated and containerized execution environment. +In the event that Langflow could execute untrusted or LLM-generated code, consider [blocking custom component execution](./deployment-block-custom-components.mdx) and running Langflow in an isolated and containerized execution environment. For more information, see [Containerize a Langflow application](/develop-application). ## Secure first-party deployments diff --git a/docs/docs/Develop/environment-variables.mdx b/docs/docs/Develop/environment-variables.mdx index cba406c00e41..d8ee23c17aac 100644 --- a/docs/docs/Develop/environment-variables.mdx +++ b/docs/docs/Develop/environment-variables.mdx @@ -433,7 +433,7 @@ See [Telemetry](/contributing-telemetry). | `LANGFLOW_AUTO_SAVING_INTERVAL` | Integer | `1000` | Set the auto-save interval in milliseconds if `LANGFLOW_AUTO_SAVING=True`. | | `LANGFLOW_BUNDLE_URLS` | List[String] | `[]` | A list of URLs from which to load custom bundles. Supports GitHub URLs. If `LANGFLOW_AUTO_LOGIN=True`, flows from these bundles are loaded into the database. | | `LANGFLOW_COMPONENTS_PATH` | String | Not set | Path to a directory containing custom components. Typically used if you have local custom components or you are building a Docker image with custom components. | -| `LANGFLOW_ALLOW_CUSTOM_COMPONENTS` | Boolean | `True` | If `false`, disables custom components and in-editor editing of component code. For more information, see [Block custom components](/deployment-block-custom-components). | +| `LANGFLOW_ALLOW_CUSTOM_COMPONENTS` | Boolean | `True` | If `false`, disables custom components and in-editor editing of component code. For more information, see [Block custom components](../Deployment/deployment-block-custom-components.mdx). | | `LANGFLOW_LOAD_FLOWS_PATH` | String | Not set | Path to a directory containing flow JSON files to be loaded on startup. Typically used when creating a Docker image with prepackaged flows. Requires `LANGFLOW_AUTO_LOGIN=True`. | | `LANGFLOW_CREATE_STARTER_PROJECTS` | Boolean | `True` | Whether to create templates during initialization. If `false`, Langflow doesn't create templates, and `LANGFLOW_UPDATE_STARTER_PROJECTS` is treated as `false`. | | `LANGFLOW_UPDATE_STARTER_PROJECTS` | Boolean | `True` | Whether to update templates with the latest component versions when initializing after an upgrade. | diff --git a/docs/docs/Support/release-notes.mdx b/docs/docs/Support/release-notes.mdx index b93088372bb7..ea7f8ec37dc8 100644 --- a/docs/docs/Support/release-notes.mdx +++ b/docs/docs/Support/release-notes.mdx @@ -57,7 +57,7 @@ For all changes, see the [Changelog](https://github.com/langflow-ai/langflow/rel - Disable custom components Set `LANGFLOW_ALLOW_CUSTOM_COMPONENTS=false` to disable custom components and in-editor editing of component code. - For more information, see [Block custom components](/deployment-block-custom-components). + For more information, see [Block custom components](../Deployment/deployment-block-custom-components.mdx). ## 1.8.x From 7526e69e2a09f764856dbd92fcba0cd37ba2d9e5 Mon Sep 17 00:00:00 2001 From: Mendon Kissling <59585235+mendonk@users.noreply.github.com> Date: Wed, 1 Apr 2026 21:50:27 -0400 Subject: [PATCH 3/3] Apply suggestions from code review Co-authored-by: April I. Murphy <36110273+aimurphy@users.noreply.github.com> Co-authored-by: Mendon Kissling <59585235+mendonk@users.noreply.github.com> --- docs/docs/Deployment/deployment-block-custom-components.mdx | 6 +++++- docs/docs/Develop/environment-variables.mdx | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/docs/Deployment/deployment-block-custom-components.mdx b/docs/docs/Deployment/deployment-block-custom-components.mdx index 0479cd2b99c0..c13a6a0f6e3d 100644 --- a/docs/docs/Deployment/deployment-block-custom-components.mdx +++ b/docs/docs/Deployment/deployment-block-custom-components.mdx @@ -4,7 +4,7 @@ slug: /deployment-block-custom-components --- Custom components and the component code editor allow Langflow users to create and execute Python code in the Langflow runtime. -While this freedom is a feature of Langflow, in some deployments you may want to block the creation of custom Langflow components to prevent arbitrary code execution. +While this freedom is a feature of Langflow, in some deployments you might want to block the creation of custom Langflow components to prevent arbitrary code execution. To block custom component creation on a Langflow server, set the following [environment variable](/environment-variables): @@ -17,4 +17,8 @@ When set to `false`, Langflow blocks creating custom components and changing cod When unset or `true`, Langflow allows custom code. Existing Langflow installations will keep the default `true` behavior until you opt in to this restriction. +This environment variable is a beta feature, and should not be your only safeguard in production environments. + +In the event that Langflow could execute untrusted or LLM-generated code, run Langflow in an isolated and containerized execution environment. + For more information, see [Security](/security). diff --git a/docs/docs/Develop/environment-variables.mdx b/docs/docs/Develop/environment-variables.mdx index d8ee23c17aac..e9b77f58fa88 100644 --- a/docs/docs/Develop/environment-variables.mdx +++ b/docs/docs/Develop/environment-variables.mdx @@ -433,7 +433,7 @@ See [Telemetry](/contributing-telemetry). | `LANGFLOW_AUTO_SAVING_INTERVAL` | Integer | `1000` | Set the auto-save interval in milliseconds if `LANGFLOW_AUTO_SAVING=True`. | | `LANGFLOW_BUNDLE_URLS` | List[String] | `[]` | A list of URLs from which to load custom bundles. Supports GitHub URLs. If `LANGFLOW_AUTO_LOGIN=True`, flows from these bundles are loaded into the database. | | `LANGFLOW_COMPONENTS_PATH` | String | Not set | Path to a directory containing custom components. Typically used if you have local custom components or you are building a Docker image with custom components. | -| `LANGFLOW_ALLOW_CUSTOM_COMPONENTS` | Boolean | `True` | If `false`, disables custom components and in-editor editing of component code. For more information, see [Block custom components](../Deployment/deployment-block-custom-components.mdx). | +| `LANGFLOW_ALLOW_CUSTOM_COMPONENTS` | Boolean | `True` | If `false`, disables custom components and in-editor editing of component code. This feature is in beta. For more information, see [Block custom components](../Deployment/deployment-block-custom-components.mdx). | | `LANGFLOW_LOAD_FLOWS_PATH` | String | Not set | Path to a directory containing flow JSON files to be loaded on startup. Typically used when creating a Docker image with prepackaged flows. Requires `LANGFLOW_AUTO_LOGIN=True`. | | `LANGFLOW_CREATE_STARTER_PROJECTS` | Boolean | `True` | Whether to create templates during initialization. If `false`, Langflow doesn't create templates, and `LANGFLOW_UPDATE_STARTER_PROJECTS` is treated as `false`. | | `LANGFLOW_UPDATE_STARTER_PROJECTS` | Boolean | `True` | Whether to update templates with the latest component versions when initializing after an upgrade. |