Cyber Resilience

CVE-2026-27966

CriticalPublic PoCRCE

Published: 26 February 2026

Published
26 February 2026
Modified
28 February 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3369 98.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27966 is a critical-severity Code Injection (CWE-94) vulnerability in Langflow Langflow. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-27966 is a critical remote code execution vulnerability in Langflow, an open-source tool for building and deploying AI-powered agents and workflows. In versions prior to 1.8.0, the CSV Agent node hardcodes the `allow_dangerous_code=True` parameter, which automatically exposes LangChain's Python REPL tool (`python_repl_ast`). This flaw, classified under CWE-94 (Code Injection) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), enables attackers to execute arbitrary Python code and operating system commands on the affected server through prompt injection attacks.

The vulnerability can be exploited by any unauthenticated attacker with network access to the Langflow instance, requiring no privileges, user interaction, or special complexity. Successful exploitation grants full remote code execution (RCE), allowing attackers to run malicious Python scripts or OS commands, potentially leading to complete server compromise, data theft, persistence, or lateral movement within the environment.

The Langflow security advisory (GHSA-3645-fxcv-hqr4) and the fixing commit (d8c6480daa17b2f2af0b5470cdf5c3d28dc9e508) confirm that upgrading to version 1.8.0 resolves the issue by addressing the hardcoded dangerous code allowance in the CSV Agent node.

This vulnerability highlights risks in AI/ML workflow tools like Langflow, where prompt injection can bypass safeguards in agentic systems relying on LangChain components. No public evidence of real-world exploitation has been reported as of the CVE publication on 2026-02-26.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary…

more

Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). Version 1.8.0 fixes the issue.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, langchain, langflow, prompt injection

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

CVE enables unauthenticated RCE in a public-facing Langflow application (T1190) via prompt injection exposing Python REPL for arbitrary code and OS command execution (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33873Same product: Langflow Langflow
CVE-2026-33017Same product: Langflow Langflow
CVE-2026-0770Same product: Langflow Langflow
CVE-2026-0768Same product: Langflow Langflow
CVE-2026-33309Same product: Langflow Langflow
CVE-2026-7524Same product: Langflow Langflow
CVE-2026-21445Same product: Langflow Langflow
CVE-2026-42048Same product: Langflow Langflow
CVE-2026-33484Same product: Langflow Langflow
CVE-2025-34291Same product: Langflow Langflow

Affected Assets

langflow
langflow
≤ 1.8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely patching to version 1.8.0 directly remediates the hardcoded allow_dangerous_code=True setting that exposes the Python REPL tool.

prevent

Least functionality restricts or prohibits unnecessary dangerous features like the python_repl_ast tool in the CSV Agent node.

prevent

Input validation on user prompts checks for and blocks malicious injections targeting the exposed REPL tool.

References