CVE-2026-27966

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). Version 1.8.0 fixes the issue.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/langflow-ai/langflow/commit/d8c6480daa17b2f2af0b5470cdf5c3d28dc9e508	Patch
https://github.com/langflow-ai/langflow/security/advisories/GHSA-3645-fxcv-hqr4	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-26 02:16

Updated : 2026-02-28 00:54

NVD link : CVE-2026-27966

Mitre link : CVE-2026-27966

CVE.ORG link : CVE-2026-27966

JSON object : View

Products Affected

langflow

langflow

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2026-27966", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-02-26T02:16:23.833", "references": [{"url": "https://github.com/langflow-ai/langflow/commit/d8c6480daa17b2f2af0b5470cdf5c3d28dc9e508", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-3645-fxcv-hqr4", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain\u2019s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). Version 1.8.0 fixes the issue."}, {"lang": "es", "value": "Langflow es una herramienta para construir y desplegar agentes y flujos de trabajo impulsados por IA. Antes de la versi\u00f3n 1.8.0, el nodo CSV Agent en Langflow codifica de forma r\u00edgida 'allow_dangerous_code=True', lo que expone autom\u00e1ticamente la herramienta Python REPL de LangChain ('python_repl_ast'). Como resultado, un atacante puede ejecutar comandos arbitrarios de Python y del sistema operativo en el servidor a trav\u00e9s de inyecci\u00f3n de prompts, lo que lleva a una ejecuci\u00f3n remota de c\u00f3digo (RCE) completa. La versi\u00f3n 1.8.0 soluciona el problema."}], "lastModified": "2026-02-28T00:54:27.840", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2F2C3DDC-4ECF-4814-AC58-D3D09E54D9B2", "versionEndExcluding": "1.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}