CVE-2026-33873
Published: 27 March 2026
Summary
CVE-2026-33873 is a critical-severity Code Injection (CWE-94) vulnerability in Langflow Langflow. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other AI Platforms.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates LLM-generated Python code inputs to the Agentic Assistant's dynamic execution sinks, preventing arbitrary server-side code injection.
Taints untrusted LLM-generated code as tainted data and restricts its execution during the validation phase to block malicious Python execution.
Ensures timely patching to Langflow version 1.9.0, which eliminates the code execution sinks in files like validation.py and assistant_service.py.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of a public-facing web application (T1190) via LLM-influenced code injection, directly facilitating arbitrary server-side Python code execution (T1059.006).
NVD Description
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component code,…
more
the implementation reaches dynamic execution sinks and instantiates the generated class server-side. In deployments where an attacker can access the Agentic Assistant feature and influence the model output, this can result in arbitrary server-side Python execution. Version 1.9.0 fixes the issue.
Deeper analysisAI
CVE-2026-33873 is a critical code injection vulnerability (CWE-94) in Langflow, an open-source tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the Agentic Assistant feature executes Python code generated by a large language model (LLM) during its validation phase. This process, intended to validate generated component code, instead dynamically executes the code server-side by reaching execution sinks and instantiating the generated class, enabling arbitrary Python code execution. The vulnerability carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
An attacker requires low-privilege access (PR:L) to the Agentic Assistant feature over the network with no user interaction needed. By influencing the LLM's output—such as through crafted prompts or model manipulation—the attacker can inject malicious Python code that executes server-side. Successful exploitation grants full control over the affected Langflow instance, potentially leading to complete compromise with high confidentiality, integrity, and availability impacts due to the changed scope (S:C).
The patch in Langflow version 1.9.0 addresses the issue by fixing the validation logic in the Agentic Assistant, preventing dynamic execution of LLM-generated code. Detailed code changes are visible in the project's GitHub repository, including modifications to router.py (lines 252-297), schemas.py (lines 20-31), code_extraction.py (lines 11-53), validation.py (lines 27-47), and assistant_service.py (lines 142-156), which eliminate the execution sinks.
This vulnerability highlights risks in AI/ML workflows where LLM outputs directly feed into code execution paths, with no reported real-world exploitation as of publication on 2026-03-27.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, llm