CVE-2026-27966
published 2026-02-26CVE-2026-27966: Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
33.69%
98.2th percentile
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). Version 1.8.0 fixes the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| langflow-ai | langflow | < 1.8.0 | 1.8.0 |
| langflow | langflow | < 1.8.0 | 1.8.0 |
| langflow | langflow | 0 – 1.8.0rc2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for HTTP requests that craft and send a specially-crafted flow containing Python code targeting the CSV Agent node endpoint in Langflow instances running versions prior to 1.8.0. ↗
- →Alert on any Langflow process spawning unexpected OS-level child processes, as the vulnerability allows arbitrary OS command execution via the exposed python_repl_ast REPL tool through prompt injection. ↗
- ·The attack vector is prompt injection — exploitation requires the attacker to influence the prompt/input processed by the CSV Agent node, not a direct API call alone. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Langflow has Remote Code Execution in CSV Agent
ghsa·2026-02-27
CVE-2026-27966 [CRITICAL] CWE-94 Langflow has Remote Code Execution in CSV Agent
Langflow has Remote Code Execution in CSV Agent
# 1. Summary
The CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE).
# 2. Description
## 2.1 Intended Functionality
When building a flow such as *ChatInput → CSVAgent → ChatOutput*, users can attach an LLM and specify a CSV file path. The CSV Agent then provides capabilities to query, summarize, or manipulate the CSV content using an LLM-driven agent.
## 2.2 Root Cause
In `src/lfx/src/lfx/components/langchain_utilities/csv_agent.py`, the CSV Agent is instantiated as follows:
```python
agent_kwar
OSV
Langflow has Remote Code Execution in CSV Agent
osv·2026-02-27
CVE-2026-27966 [CRITICAL] Langflow has Remote Code Execution in CSV Agent
Langflow has Remote Code Execution in CSV Agent
# 1. Summary
The CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE).
# 2. Description
## 2.1 Intended Functionality
When building a flow such as *ChatInput → CSVAgent → ChatOutput*, users can attach an LLM and specify a CSV file path. The CSV Agent then provides capabilities to query, summarize, or manipulate the CSV content using an LLM-driven agent.
## 2.2 Root Cause
In `src/lfx/src/lfx/components/langchain_utilities/csv_agent.py`, the CSV Agent is instantiated as follows:
```python
agent_kwar
No detection rules found.
Rapid7
Metasploit Wrap-Up 04/25/2026
blogs_rapid7·2026-04-24·CVSS 7.7
CVE-2024-46987 [HIGH] Metasploit Wrap-Up 04/25/2026
## Check Method Visibility
Metasploit has supported check methods for many years now. It’s not always desirable to jump straight into exploiting a vulnerability but instead to determine if the target is vulnerable. Metasploit tries to be very conservative with classifying a target as “vulnerable” unless the vulnerability is leveraged as part of the check method, reserving the “appears” status for version checks. The different check codes a module is capable of returning and the logic to select among them varies from exploit to exploit and is not always the easiest to understand. Aligning with the consistent feedback that Metasploit has received that module actions should be more transparent, adfoster-r7 has been adding reasoning information en masse to the check codes returned by a variet
Wiz
CVE-2026-27966 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27966 [CRITICAL] CVE-2026-27966 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27966 :
Homebrew vulnerability analysis and mitigation
allow_dangerous_code=True
python_repl_ast
Source : NVD
## 9.8
Score
Published February 26, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Homebrew
LangFlow
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
langflow
Sources
NVD
pip Severity CRITICAL No Fix Added at: Mar 02, 2026
Homebrew Severity CRITICAL Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Homebrew vulnerabilities:
CVE ID
Severity
2026-02-26
Published