CVE-2026-27966

CVE-2026-27966 is a critical remote code execution vulnerability in Langflow, an open-source tool for building and deploying AI-powered agents and workflows. In versions prior to 1.8.0, the CSV Agent node hardcodes the `allow_dangerous_code=True` parameter, which automatically exposes LangChain's Python REPL tool (`python_repl_ast`). This flaw, classified under CWE-94 (Code Injection) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), enables attackers to execute arbitrary Python code and operating system commands on the affected server through prompt injection attacks.

The vulnerability can be exploited by any unauthenticated attacker with network access to the Langflow instance, requiring no privileges, user interaction, or special complexity. Successful exploitation grants full remote code execution (RCE), allowing attackers to run malicious Python scripts or OS commands, potentially leading to complete server compromise, data theft, persistence, or lateral movement within the environment.

The Langflow security advisory (GHSA-3645-fxcv-hqr4) and the fixing commit (d8c6480daa17b2f2af0b5470cdf5c3d28dc9e508) confirm that upgrading to version 1.8.0 resolves the issue by addressing the hardcoded dangerous code allowance in the CSV Agent node.

This vulnerability highlights risks in AI/ML workflow tools like Langflow, where prompt injection can bypass safeguards in agentic systems relying on LangChain components. No public evidence of real-world exploitation has been reported as of the CVE publication on 2026-02-26.