CVE-2026-27966
Published: 26 February 2026
Summary
CVE-2026-27966 is a critical-severity Code Injection (CWE-94) vulnerability in Langflow Langflow. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-27966 is a critical remote code execution vulnerability in Langflow, an open-source tool for building and deploying AI-powered agents and workflows. In versions prior to 1.8.0, the CSV Agent node hardcodes the `allow_dangerous_code=True` parameter, which automatically exposes LangChain's Python REPL tool (`python_repl_ast`). This flaw, classified under CWE-94 (Code Injection) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), enables attackers to execute arbitrary Python code and operating system commands on the affected server through prompt injection attacks.
The vulnerability can be exploited by any unauthenticated attacker with network access to the Langflow instance, requiring no privileges, user interaction, or special complexity. Successful exploitation grants full remote code execution (RCE), allowing attackers to run malicious Python scripts or OS commands, potentially leading to complete server compromise, data theft, persistence, or lateral movement within the environment.
The Langflow security advisory (GHSA-3645-fxcv-hqr4) and the fixing commit (d8c6480daa17b2f2af0b5470cdf5c3d28dc9e508) confirm that upgrading to version 1.8.0 resolves the issue by addressing the hardcoded dangerous code allowance in the CSV Agent node.
This vulnerability highlights risks in AI/ML workflow tools like Langflow, where prompt injection can bypass safeguards in agentic systems relying on LangChain components. No public evidence of real-world exploitation has been reported as of the CVE publication on 2026-02-26.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8819
Vulnerability details
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary…
more
Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). Version 1.8.0 fixes the issue.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, langchain, langflow, prompt injection
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated RCE in a public-facing Langflow application (T1190) via prompt injection exposing Python REPL for arbitrary code and OS command execution (T1059.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely patching to version 1.8.0 directly remediates the hardcoded allow_dangerous_code=True setting that exposes the Python REPL tool.
Least functionality restricts or prohibits unnecessary dangerous features like the python_repl_ast tool in the CSV Agent node.
Input validation on user prompts checks for and blocks malicious injections targeting the exposed REPL tool.