CVE-2026-27966

Medienbericht

Exploit

EPSS 33.69%
Veröffentlicht 26.02.2026 01:55:18
Zuletzt bearbeitet 28.02.2026 00:54:27
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Langflow has Remote Code Execution in CSV Agent

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). Version 1.8.0 fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Langflow ≫ Langflow Version < 1.8.0

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	33.69%	0.982

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.

VulnDex Intel

Media Report

17.03.2026 22:20

https://github.com/langflow-ai/langflow/security/advisories/GHSA-3645-fxcv-hqr4

Vendor Advisory

Exploit

https://github.com/langflow-ai/langflow/commit/d8c6480daa17b2f2af0b5470cdf5c3d28dc9e508

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-27966

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-27966

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-27966

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-27966