Description
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component code, the implementation reaches dynamic execution sinks and instantiates the generated class server-side. In deployments where an attacker can access the Agentic Assistant feature and influence the model output, this can result in arbitrary server-side Python execution. Version 1.9.0 fixes the issue.
Published: 2026-03-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated server‑side Python execution
Action: Immediate Patch
AI Analysis

Impact

The identified flaw resides in the Agentic Assistant validation component of Langflow. During the validation of LLM‑generated Python scripts, the code is executed on the server without adequate input sanitisation. This allows an attacker who can influence the model output to trigger arbitrary Python execution in the application’s runtime, effectively granting full control over the server. The weakness is a classic instance of unsafe dynamic code execution, mapped to CWE‑94.

Affected Systems

All installations of Langflow running a version earlier than 1.9.0 pose a risk when the Agentic Assistant feature is exposed to users. The failure applies globally within the product when an authenticated user can supply prompts that affect the model’s response. The description does not list specific sub‑products; however, any deployment that exposes this feature is potentially affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3, indicating critical severity, but the EPSS score is below 1%, suggesting that automated exploitation is presently uncommon. The attack requires authenticated access to the Agentic Assistant endpoint and the ability to craft model inputs that produce malicious code; once these conditions are met, an attacker can execute arbitrary instructions on the server. The CVE is not currently on the CISA KEV catalog.

Generated by OpenCVE AI on April 3, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Langflow to version 1.9.0 or later.
  • If an upgrade is delayed, disable the Agentic Assistant feature or restrict its use to trusted users.
  • Ensure only authenticated users can access the feature and monitor for anomalous execution logs.

Generated by OpenCVE AI on April 3, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v8hw-mh8c-jxfc Langflow has Authenticated Code Execution in Agentic Assistant Validation
References
Link Providers
https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/api/router.py#L252-L297 cve-icon cve-icon
https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/api/schemas.py#L20-L31 cve-icon cve-icon
https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/helpers/code_extraction.py#L11-L53 cve-icon cve-icon
https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/helpers/validation.py#L27-L47 cve-icon cve-icon
https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L142-L156 cve-icon cve-icon
https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L259-L300 cve-icon cve-icon
https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L58-L79 cve-icon cve-icon
https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/api/utils/core.py#L38 cve-icon cve-icon
https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/api/v1/login.py#L96-L135 cve-icon cve-icon
https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/services/auth/utils.py#L156-L163 cve-icon cve-icon
https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/services/auth/utils.py#L39-L53 cve-icon cve-icon
https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L241-L272 cve-icon cve-icon
https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L394-L399 cve-icon cve-icon
https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L441-L443 cve-icon cve-icon
https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/services/settings/auth.py#L71-L87 cve-icon cve-icon
https://github.com/langflow-ai/langflow/security/advisories/GHSA-v8hw-mh8c-jxfc cve-icon cve-icon
History

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Thu, 02 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Langflow
Langflow langflow
Vendors & Products Langflow
Langflow langflow

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component code, the implementation reaches dynamic execution sinks and instantiates the generated class server-side. In deployments where an attacker can access the Agentic Assistant feature and influence the model output, this can result in arbitrary server-side Python execution. Version 1.9.0 fixes the issue.
Title Langflow has Authenticated Code Execution in Agentic Assistant Validation
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Langflow Langflow
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T13:03:34.809Z

Reserved: 2026-03-24T15:10:05.679Z

Link: CVE-2026-33873

cve-icon Vulnrichment

Updated: 2026-03-27T20:31:00.823Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T21:17:23.953

Modified: 2026-04-03T17:03:54.760

Link: CVE-2026-33873

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T21:17:58Z

Weaknesses