CVE-2026-27966

CRITICAL

Langflow <1.8.0 - RCE

Title source: llm

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). Version 1.8.0 fixes the issue.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-27966

View Code ZIP pw:eip

nomisec WORKING POC

by Anon-Cyber-Team · poc

https://github.com/Anon-Cyber-Team/CVE-2026-27966--RCE-in-Langflow

View Code ZIP pw:eip

References (2)

[Patch] https://github.com/langflow-ai/langflow/commit/d8c6480daa17b2f2af0b5470cdf5c3d28dc9e508

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/langflow-ai/langflow/security/advisories/GHSA-3645-fxcv-hqr4

Scores

CVSS v3 9.8

EPSS 0.0041

EPSS Percentile 60.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-94

Status published

Affected Products (2)

pypi/langflow PyPI

langflow/langflow < 1.8.0

Timeline

Published Feb 26, 2026

Tracked Since Feb 26, 2026