CVE-2026-27966

CriticalPublic PoC

Published: 26 February 2026

Published

26 February 2026

Modified

28 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.3658 97.2th percentile

Risk Priority 42 60% EPSS · 20% KEV · 20% CVSS

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary…

Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). Version 1.8.0 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely patching to version 1.8.0 directly remediates the hardcoded allow_dangerous_code=True setting that exposes the Python REPL tool.

CM-7 Least Functionality good match

prevent

Least functionality restricts or prohibits unnecessary dangerous features like the python_repl_ast tool in the CSV Agent node.

SI-10 Information Input Validation good match

prevent

Input validation on user prompts checks for and blocks malicious injections targeting the exposed REPL tool.

Security SummaryAI

CVE-2026-27966 is a critical remote code execution vulnerability in Langflow, an open-source tool for building and deploying AI-powered agents and workflows. In versions prior to 1.8.0, the CSV Agent node hardcodes the `allow_dangerous_code=True` parameter, which automatically exposes LangChain's Python REPL tool (`python_repl_ast`). This flaw, classified under CWE-94 (Code Injection) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), enables attackers to execute arbitrary Python code and operating system commands on the affected server through prompt injection attacks.

The vulnerability can be exploited by any unauthenticated attacker with network access to the Langflow instance, requiring no privileges, user interaction, or special complexity. Successful exploitation grants full remote code execution (RCE), allowing attackers to run malicious Python scripts or OS commands, potentially leading to complete server compromise, data theft, persistence, or lateral movement within the environment.

The Langflow security advisory (GHSA-3645-fxcv-hqr4) and the fixing commit (d8c6480daa17b2f2af0b5470cdf5c3d28dc9e508) confirm that upgrading to version 1.8.0 resolves the issue by addressing the hardcoded dangerous code allowance in the CSV Agent node.

This vulnerability highlights risks in AI/ML workflow tools like Langflow, where prompt injection can bypass safeguards in agentic systems relying on LangChain components. No public evidence of real-world exploitation has been reported as of the CVE publication on 2026-02-26.

Details

CWE(s): CWE-94

Affected Products

langflow

≤ 1.8.0

AI Security AnalysisAI

AI Category: NLP and Transformers
Risk Domain: LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025: None mapped
MITRE ATLAS Techniques: None mapped
Classification Reason: Matched keywords: ai, langchain, prompt injection

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.006 Python Execution

Adversaries may abuse Python commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE enables unauthenticated RCE in a public-facing Langflow application (T1190) via prompt injection exposing Python REPL for arbitrary code and OS command execution (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/langflow-ai/langflow/commit/d8c6480daa17b2f2af0b5470cdf5c3d28dc9e508
Patch · security-advisories@github.com
https://github.com/langflow-ai/langflow/security/advisories/GHSA-3645-fxcv-hqr4
Exploit, Vendor Advisory · security-advisories@github.com