Login Sign Up

CVE-2026-27966

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in Langflow's CSV Agent node allows attackers to execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). It affects all Langflow deployments using versions before 1.8.0 where the CSV Agent node is enabled. The issue stems from hardcoded dangerous code execution settings that expose LangChain's Python REPL tool.

💻 Affected Systems

Products:
  • Langflow
Versions: All versions prior to 1.8.0
Operating Systems: All operating systems running Langflow
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists when CSV Agent node is used; however, this is a core component of Langflow workflows.

📦 What is this software?

Langflow by Langflow

View all CVEs affecting Langflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing data theft, lateral movement, persistence establishment, and full system control.

🟠

Likely Case

Attacker gains shell access to execute commands, potentially stealing sensitive data, installing malware, or disrupting services.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and monitoring are in place, though RCE still poses significant risk.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires prompt injection through the CSV Agent node interface, which typically requires some level of access to the Langflow application.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.8.0

Vendor Advisory: https://github.com/langflow-ai/langflow/security/advisories/GHSA-3645-fxcv-hqr4

Restart Required: Yes

Instructions:

1. Update Langflow to version 1.8.0 or later using pip: 'pip install --upgrade langflow==1.8.0' 2. Restart the Langflow service or application 3. Verify the update with 'langflow --version'

🔧 Temporary Workarounds

Disable CSV Agent Node

all

Temporarily disable or remove the CSV Agent node from all workflows to prevent exploitation.

Network Isolation

all

Restrict network access to Langflow instances to trusted users only using firewall rules.

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for all user inputs to the CSV Agent node
  • Deploy Langflow in a containerized environment with minimal privileges and network restrictions

🔍 How to Verify

Check if Vulnerable:

Check if Langflow version is below 1.8.0 and if CSV Agent node is present in any workflows.

Check Version:

langflow --version

Verify Fix Applied:

Confirm Langflow version is 1.8.0 or higher and review the commit d8c6480daa17b2f2af0b5470cdf5c3d28dc9e508 has been applied.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Python execution patterns
  • Suspicious OS commands in Langflow logs
  • Multiple failed prompt injection attempts

Network Indicators:

  • Unexpected outbound connections from Langflow server
  • Traffic to known malicious IPs

SIEM Query:

source="langflow.logs" AND ("python_repl_ast" OR "allow_dangerous_code" OR "os.system" OR "subprocess")

📊 Metadata

CVE ID: CVE-2026-27966
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: February 26, 2026
Last Updated: February 28, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27966, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)