CVE-2026-27966
Received Received - Intake
Remote Code Execution via CSV Agent in Langflow Before

Publication date: 2026-02-26

Last updated on: 2026-02-28

Assigner: GitHub, Inc.

Description
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). Version 1.8.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-28
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27966
EUVD
EUVD-2026-8819
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
langflow langflow to 1.8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27966 is a critical Remote Code Execution (RCE) vulnerability in the CSV Agent node of the Langflow AI tool. Prior to version 1.8.0, the CSV Agent hardcoded the parameter `allow_dangerous_code=True`, which enabled LangChain's Python REPL tool (`python_repl_ast`). This allowed any output from the attached Large Language Model (LLM) containing Python code execution commands to run arbitrary Python and OS commands on the server without restriction or user interaction."}, {'type': 'paragraph', 'content': 'An attacker can exploit this vulnerability via prompt injection to execute arbitrary commands on the server, leading to full remote code execution. For example, commands like `__import__("os").system("echo pwned > /tmp/pwned")` could be run, demonstrating the ability to execute OS commands remotely.'}, {'type': 'paragraph', 'content': 'The vulnerability exists because the CSV Agent automatically allows dangerous code execution by default, without any UI toggle or environment variable to disable it. The issue was fixed in version 1.8.0 by introducing a new boolean flag `allow_dangerous_code` which defaults to `false`, preventing arbitrary code execution unless explicitly enabled.'}] [1, 2]

Impact Analysis

This vulnerability can have severe impacts as it allows an attacker to execute arbitrary Python and operating system commands on the server running Langflow. This means an attacker can take full control of the server remotely without any privileges or user interaction.

  • Complete compromise of server confidentiality, integrity, and availability.
  • Execution of malicious commands leading to data theft, data destruction, or unauthorized access.
  • Potential disruption of services hosted on the affected server.
  • Creation of backdoors or persistence mechanisms by attackers.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the Langflow installation is running a version prior to 1.8.0 and if the CSV Agent node is configured with the parameter allow_dangerous_code set to true or hardcoded as true.'}, {'type': 'paragraph', 'content': 'One practical detection method is to look for evidence of arbitrary Python or OS command execution triggered via prompt injection, such as unexpected files created on the server (e.g., /tmp/pwned) or suspicious process activity related to python_repl_ast.'}, {'type': 'paragraph', 'content': 'You can also inspect the source code or configuration files for the presence of the hardcoded parameter allow_dangerous_code=True in the CSV Agent component.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': 'Check the installed Langflow version: `langflow --version` or inspect the package version in your environment.'}, {'type': 'list_item', 'content': 'Search for the parameter in the source code: `grep -r "allow_dangerous_code" /path/to/langflow/`'}, {'type': 'list_item', 'content': 'Look for suspicious files created by exploitation attempts, e.g., `ls -l /tmp/pwned`'}, {'type': 'list_item', 'content': 'Monitor running processes for unexpected Python REPL activity: `ps aux | grep python_repl_ast`'}] [2, 1]

Mitigation Strategies

The immediate and recommended mitigation is to upgrade Langflow to version 1.8.0 or later, where the vulnerability is fixed by setting the allow_dangerous_code flag to false by default.

If upgrading is not immediately possible, manually ensure that the CSV Agent component is configured with allow_dangerous_code set to false to disable arbitrary Python code execution.

Avoid enabling the allow_dangerous_code flag unless the input sources are fully trusted and you understand the security implications.

Additionally, monitor your system for signs of exploitation such as unexpected file creation or unusual process activity and restrict network access to the Langflow service to trusted users only.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27966. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart