CVE-2026-27966

CRITICAL

Langflow < 1.8.0 - Remote Code Execution via CSV Agent Node

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-27966. PoCs published by XiaomingX, Anon-Cyber-Team, weblover12, Takahiro Yokoyama, including Metasploit module exploits/multi/http/langflow_rce_cve_2026_27966.

AI-analyzed exploit summary This repository contains a functional exploit tool for CVE-2026-27966, a critical RCE vulnerability in Langflow. The tool includes multi-threaded scanning, automatic detection, and interactive shell capabilities for remote command execution.

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). Version 1.8.0 fixes the issue.

Exploits (3)

github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-27966

This repository contains a functional exploit tool for CVE-2026-27966, a critical RCE vulnerability in Langflow. The tool includes multi-threaded scanning, automatic detection, and interactive shell capabilities for remote command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Langflow (version not specified)
No auth needed
Prerequisites: Network access to vulnerable Langflow instance · Python 3.6+ environment
devstral-2 · analyzed Mar 07, 2026 Full analysis →
nomisec WORKING POC
by Anon-Cyber-Team · poc
https://github.com/Anon-Cyber-Team/CVE-2026-27966--RCE-in-Langflow

The repository contains a functional exploit tool for CVE-2026-27966, targeting a Remote Code Execution (RCE) vulnerability in Langflow. The tool includes features for scanning, detection, and exploitation, with support for multi-threading, proxy usage, and interactive shell access.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Langflow
No auth needed
Prerequisites: Target running vulnerable Langflow instance · Network access to the target
devstral-2 · analyzed Mar 06, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by weblover12, Takahiro Yokoyama · rubypocpython
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/langflow_rce_cve_2026_27966.rb

This Metasploit module exploits CVE-2026-27966, a vulnerability in Langflow's CSV Agent node that hardcodes allow_dangerous_code=True, enabling arbitrary Python and OS command execution via prompt injection. The exploit automates the creation of a malicious flow, uploads it, and triggers execution to achieve RCE.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Langflow < 1.8.0
Auth required
Prerequisites: Valid Langflow API key · Access to an attacker-controlled OLLAMA API endpoint · Valid OLLAMA model name
devstral-2 · analyzed Apr 23, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.4102
EPSS Percentile 97.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-94
Status published
Products (2)
langflow/langflow < 1.8.0
pypi/langflow 0PyPI
Published Feb 26, 2026
Tracked Since Feb 26, 2026