Description
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). Version 1.8.0 fixes the issue.
Published: 2026-02-26
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch
AI Analysis

Impact

Langflow exposes its CSV Agent node with a hardcoded flag that automatically enables a Python REPL tool. By injecting malicious prompts, an attacker can execute arbitrary Python or operating‑system commands on the server, granting full remote code execution. The flaw is a code injection vulnerability (CWE-94).

Affected Systems

The vulnerability is present in the langflow‑ai langflow product in all releases prior to version 1.8.0. Users running Langflow 1.7.x or earlier are at risk.

Risk and Exploitability

The CVSS score of 9.8 marks the vulnerability as critical. The EPSS score of less than 1% suggests that exploitation is unlikely at this time, and it is not listed in CISA’s KEV catalog. The likely attack vector is a remote prompt injection into the CSV Agent node, which can be performed by anyone with the ability to add or modify a workflow that uses this node. Once exploited, the attacker can run arbitrary code on the host and potentially gain full system compromise.

Generated by OpenCVE AI on April 18, 2026 at 17:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Langflow to version 1.8.0 or later, where the hard‑coded flag is removed and the vulnerability is fixed.
  • If an immediate upgrade is not possible, temporarily remove or disable the CSV Agent node from all active workflows to prevent exploitation while a fix is applied.
  • Disable the allow_dangerous_code flag or configure the CSV Agent node to reject code execution patterns, setting the flag to false if such a configuration option is available.

Generated by OpenCVE AI on April 18, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3645-fxcv-hqr4 Langflow has Remote Code Execution in CSV Agent
History

Sat, 28 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Langflow
Langflow langflow
Vendors & Products Langflow
Langflow langflow

Thu, 26 Feb 2026 02:15:00 +0000

Type Values Removed Values Added
Description Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). Version 1.8.0 fixes the issue.
Title Langflow has Remote Code Execution in CSV Agent
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Langflow Langflow
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-28T04:55:26.622Z

Reserved: 2026-02-25T03:24:57.793Z

Link: CVE-2026-27966

cve-icon Vulnrichment

Updated: 2026-02-26T14:28:11.608Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T02:16:23.833

Modified: 2026-02-28T00:54:27.840

Link: CVE-2026-27966

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:45:06Z

Weaknesses