CVE-2026-27966
Remote Code Execution via CSV Agent in Langflow Before
Publication date: 2026-02-26
Last updated on: 2026-02-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langflow | langflow | to 1.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27966 is a critical Remote Code Execution (RCE) vulnerability in the CSV Agent node of the Langflow AI tool. Prior to version 1.8.0, the CSV Agent hardcoded the parameter `allow_dangerous_code=True`, which enabled LangChain's Python REPL tool (`python_repl_ast`). This allowed any output from the attached Large Language Model (LLM) containing Python code execution commands to run arbitrary Python and OS commands on the server without restriction or user interaction."}, {'type': 'paragraph', 'content': 'An attacker can exploit this vulnerability via prompt injection to execute arbitrary commands on the server, leading to full remote code execution. For example, commands like `__import__("os").system("echo pwned > /tmp/pwned")` could be run, demonstrating the ability to execute OS commands remotely.'}, {'type': 'paragraph', 'content': 'The vulnerability exists because the CSV Agent automatically allows dangerous code execution by default, without any UI toggle or environment variable to disable it. The issue was fixed in version 1.8.0 by introducing a new boolean flag `allow_dangerous_code` which defaults to `false`, preventing arbitrary code execution unless explicitly enabled.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows an attacker to execute arbitrary Python and operating system commands on the server running Langflow. This means an attacker can take full control of the server remotely without any privileges or user interaction.
- Complete compromise of server confidentiality, integrity, and availability.
- Execution of malicious commands leading to data theft, data destruction, or unauthorized access.
- Potential disruption of services hosted on the affected server.
- Creation of backdoors or persistence mechanisms by attackers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the Langflow installation is running a version prior to 1.8.0 and if the CSV Agent node is configured with the parameter allow_dangerous_code set to true or hardcoded as true.'}, {'type': 'paragraph', 'content': 'One practical detection method is to look for evidence of arbitrary Python or OS command execution triggered via prompt injection, such as unexpected files created on the server (e.g., /tmp/pwned) or suspicious process activity related to python_repl_ast.'}, {'type': 'paragraph', 'content': 'You can also inspect the source code or configuration files for the presence of the hardcoded parameter allow_dangerous_code=True in the CSV Agent component.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': 'Check the installed Langflow version: `langflow --version` or inspect the package version in your environment.'}, {'type': 'list_item', 'content': 'Search for the parameter in the source code: `grep -r "allow_dangerous_code" /path/to/langflow/`'}, {'type': 'list_item', 'content': 'Look for suspicious files created by exploitation attempts, e.g., `ls -l /tmp/pwned`'}, {'type': 'list_item', 'content': 'Monitor running processes for unexpected Python REPL activity: `ps aux | grep python_repl_ast`'}] [2, 1]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade Langflow to version 1.8.0 or later, where the vulnerability is fixed by setting the allow_dangerous_code flag to false by default.
If upgrading is not immediately possible, manually ensure that the CSV Agent component is configured with allow_dangerous_code set to false to disable arbitrary Python code execution.
Avoid enabling the allow_dangerous_code flag unless the input sources are fully trusted and you understand the security implications.
Additionally, monitor your system for signs of exploitation such as unexpected file creation or unusual process activity and restrict network access to the Langflow service to trusted users only.