RAXE — Runtime AI Security Platform

Executive Summary

What: CVE-2026-27966 is a critical-severity remote code execution vulnerability (CVSS 9.8, CWE-94) in Langflow, an open-source platform for building and deploying AI-powered agents and workflows. Versions prior to 1.8.0 are affected; the fix is available in version 1.8.0 (NVD, GHSA-3645-fxcv-hqr4). The vulnerability exists because the CSV Agent component hardcodes allow_dangerous_code=True, which exposes LangChain's python_repl_ast tool, enabling arbitrary Python and OS command execution on the server via prompt injection (NVD).

So What: This vulnerability demonstrates what RAXE Labs assesses as the canonical AI-native attack chain: prompt injection leading to remote code execution. The CSV Agent component in Langflow hardcodes allow_dangerous_code=True, automatically exposing LangChain's python_repl_ast tool, creating a direct path from user-controlled natural language input to arbitrary Python and OS command execution on the server (NVD). The CVSS 9.8 score reflects the network-accessible, no-authentication, no-user-interaction attack profile (NVD). This pattern — AI agents with uncontrolled tool access — is replicated across many AI agent frameworks, making this finding relevant beyond the Langflow ecosystem (assessment).

Now What: Organisations running Langflow should upgrade to version 1.8.0 or later immediately (NVD, GHSA). Security teams should audit AI agent workflows for configurations that hardcode dangerous code execution capabilities and deploy the detection signatures provided in this advisory.

Risk Rating

Dimension	Rating	Detail
Severity	CRITICAL	`CVSS v3.1`: 9.8 (NVD). `CWE-94`: Improper Control of Generation of Code (NVD). Network vector, no authentication, no user interaction required.
Urgency	HIGH	Patch is available (version 1.8.0 on PyPI). Any internet-exposed Langflow deployment with the CSV Agent component enabled, running a version prior to 1.8.0, should be upgraded immediately.
Scope	HIGH	Langflow provides a visual builder on top of the LangChain framework, a prominent AI agent library. The vulnerability affects the CSV Agent component, which is commonly deployed for data analysis workflows.
Confidence	CONFIRMED	CVE assigned (NVD), vendor advisory published (GHSA-3645-fxcv-hqr4), fix commit merged (d8c6480), patched version released on PyPI.
Business Impact	HIGH	Full remote code execution with no authentication. Successful exploitation provides the attacker with the privileges of the Langflow process, enabling access to connected data sources, model configurations, and network pivoting.

Affected Products

Product	Registry	Affected Versions	Fixed Version	Status
`langflow`	PyPI	< 1.8.0	1.8.0	Patch available (NVD)

Note on versioning: The NVD entry lists all versions prior to 1.8.0 as affected (versionEndExcluding: 1.8.0) and states "Version 1.8.0 fixes the issue." The GHSA advisory lists "affected < 1.6.9" but "patched version 1.8.0" — these fields are inconsistent. This advisory uses the NVD affected range (< 1.8.0) and fix version (1.8.0) as the authoritative source, consistent with the GHSA patched version field. Version 1.8.0 was released on PyPI on 5 March 2026.

Am I Affected?

Check if you use Langflow:

   pip show langflow

If this returns package information, you have the package installed.

Check your installed version:

   pip show langflow | grep Version

If the version is below 1.8.0, you are affected.

Check for CSV Agent usage: Review your Langflow workflow configurations for any flows that include the CSV Agent component. Deployments without the CSV Agent component enabled are not directly affected by this specific vulnerability.
Upgrade to the fixed version:

   pip install langflow>=1.8.0

Abstract

CVE-2026-27966 is a critical remote code execution vulnerability in the Langflow AI workflow platform, classified under CWE-94 (Improper Control of Generation of Code) with a CVSS v3.1 score of 9.8 (NVD). The vulnerability exists in the CSV Agent component, which hardcodes allow_dangerous_code=True, automatically exposing LangChain's python_repl_ast tool (NVD). The attack chain involves a prompt injection payload — delivered either through the query interface or embedded in CSV data — that instructs the underlying LLM to generate malicious Python or OS commands, which are then executed via the exposed REPL tool. The vulnerability requires no authentication and no user interaction (NVD). A fix is available in version 1.8.0 (NVD, GHSA-3645-fxcv-hqr4). This finding maps to MITRE ATLAS technique AML.T0051.000 (LLM Prompt Injection — Direct).

Key Findings

Critical RCE via AI-native attack vector. CVE-2026-27966 (CVSS 9.8, CWE-94) enables remote code execution through prompt injection targeting the CSV Agent component in Langflow (NVD, GHSA-3645-fxcv-hqr4).
No authentication required. The CVSS v3.1 attack vector indicates the vulnerability is exploitable without authentication and without user interaction, meaning any network-accessible Langflow deployment with the CSV Agent component enabled is at risk (NVD).
Prompt injection chains to code execution. The attack chains two vulnerability classes: prompt injection (AI-native, AML.T0051.000) and code injection (traditional, CWE-94). The CSV Agent hardcodes allow_dangerous_code=True, exposing LangChain's python_repl_ast tool; the LLM is then prompted to generate code that is executed via this exposed tool (NVD, GHSA).
Systemic pattern: AI agents with unsandboxed code execution. The root cause involves enabling code execution capabilities without adequate sandboxing — a design pattern repeated across multiple AI agent frameworks. The vulnerability is not unique to Langflow; it reflects a broader ecosystem challenge (assessment).
Fix available in version 1.8.0. NVD lists all versions prior to 1.8.0 as affected; version 1.8.0 fixes the issue by making allow_dangerous_code configurable with a default of False (NVD, fix commit d8c6480). Organisations should upgrade to at least 1.8.0.

Attack Flow

                      PROMPT INJECTION TO RCE — CVE-2026-27966
                      ========================================

  +-----------------+     +------------------+     +------------------+
  |   Adversary     |     |   Langflow       |     |   LangChain      |
  |   Input         |---->|   CSV Agent      |---->|   python_repl_   |
  |   (prompt       |     |   Node           |     |   ast Tool       |
  |    injection)   |     |   (hardcoded     |     |   (exposed by    |
  |                 |     |    dangerous     |     |    allow_        |
  |                 |     |    code=True)    |     |    dangerous_    |
  |                 |     |                  |     |    code=True)    |
  +-----------------+     +------------------+     +------------------+
                                                          |
                                                          v
                                                   +------------------+
                                                   |   LLM Generates  |
                                                   |   Malicious Code |
                                                   |   (from injected |
                                                   |    prompt)       |
                                                   +------------------+
                                                          |
                                                          v
                                                   +------------------+
                                                   |   Code Executed  |
                                                   |   WITHOUT        |
                                                   |   Sandboxing     |
                                                   |   (dangerous     |
                                                   |    code enabled) |
                                                   +------------------+
                                                          |
                                                          v
                                                   +------------------+
                                                   |   RCE ACHIEVED   |
                                                   |                  |
                                                   |   - Server access|
                                                   |   - Data sources |
                                                   |   - Credentials  |
                                                   |   - Lateral move |
                                                   +------------------+

  ATLAS Mapping: AML.T0051.000 (LLM Prompt Injection — Direct)

  Attack Prerequisites (NVD):
  - Network access to Langflow instance
  - No authentication required
  - No user interaction required
  - CSV Agent component enabled

Technical Details

Root Cause Analysis

The vulnerability exists in the interaction between Langflow's CSV Agent component and the LangChain agent framework. The CSV Agent node hardcodes allow_dangerous_code=True, which automatically exposes LangChain's python_repl_ast tool — a Python REPL capable of executing arbitrary code on the server (NVD). There is no toggle or environment variable to disable this behaviour; the dangerous configuration is embedded in the component code without user control (GHSA-3645-fxcv-hqr4).

The attack mechanism involves:

Entry point: An adversary submits a natural language query to the Langflow CSV Agent component. Common observed API endpoints include /api/v1/run and /api/v1/process, though the vulnerability exists at the component level, not at a specific endpoint (GHSA, assessment).
Prompt injection: The query contains a prompt injection payload that instructs the LLM to generate code performing actions beyond data analysis — such as system commands, file access, or reverse shell connections (assessment based on CWE-94 classification).
Hardcoded dangerous code execution: Because the CSV Agent hardcodes allow_dangerous_code=True, LangChain's python_repl_ast tool is automatically available. The LLM-generated code is executed via this tool without sandboxing (NVD).
RCE achieved: Arbitrary Python and OS commands run with the privileges of the Langflow server process (NVD CVSS 9.8 scope).

CWE Classification

CWE-94 (Improper Control of Generation of Code) is the NVD classification. This is appropriate because the vulnerability enables an attacker to influence the code that is generated and subsequently executed by the application (NVD).

Fix Analysis

The fix commit (d8c6480) addresses the vulnerability by replacing the hardcoded allow_dangerous_code=True with a configurable BoolInput parameter that defaults to False. The fix includes a security warning stating that enabling the parameter "allows the agent to execute arbitrary Python code on the server, which can lead to remote code execution vulnerabilities" (fix commit). This change is included in version 1.8.0 (NVD).

Impact Assessment

Impact Dimension	Rating	Notes
Code execution	CRITICAL	Full RCE with Langflow process privileges (NVD `CVSS 9.8`)
Data access	HIGH	Access to all data sources connected to Langflow (assessment)
Lateral movement	HIGH	Server access enables network pivoting (assessment)
AI workflow integrity	HIGH	Compromised agent can produce manipulated outputs (assessment)
Authentication required	NONE	CVSS vector indicates no authentication required (NVD)

Confidence & Validation

Assessment Confidence: Confirmed

Aspect	Status	Detail
Vendor Advisory	Yes	GHSA-3645-fxcv-hqr4 published by Langflow maintainers
CVE Assigned	Yes	`CVE-2026-27966` in NVD, published 2026-02-26 (NVD)
PoC Available	Not public	No public proof-of-concept at time of writing
Patch Available	Yes	Version 1.8.0 on PyPI; fix commit d8c6480 merged (NVD, GHSA)
Exploited in Wild	No evidence	No reports of in-the-wild exploitation at time of writing

Source Reliability

Source	Type	Grade	Key Data
NVD/NIST	CVE Database	A1	`CVE-2026-27966`: `CVSS 9.8`, `CWE-94`, published 2026-02-26
GHSA-3645-fxcv-hqr4	Advisory	A1	Affected < 1.6.9 (note: inconsistent with NVD range), patched 1.8.0, fix commit d8c6480

Detection Signatures

Three Sigma detection rules have been developed for this vulnerability:

LANGFLOW-001: Prompt Injection Targeting CSV Agent Code Execution

Rule ID: raxe-langflow-001
Type: Network / Application (webserver log source)
Purpose: Detects prompt injection payloads in HTTP requests to Langflow API endpoints (/api/v1/run, /api/v1/process, /api/v1/predict, /api/v1/chat) that contain patterns associated with code execution attempts
Detection logic: Matches Langflow API endpoints combined with prompt injection patterns (instruction override phrases, code import statements, framework-specific parameters)
Level: Critical
ATLAS mapping: AML.T0051.000
False positives: Legitimate discussions about code in LLM queries; security testing against the platform

LANGFLOW-002: Anomalous Process Spawned by Langflow Application

Rule ID: raxe-langflow-002
Type: Host-based (process creation)
Purpose: Detects child processes spawned by the Langflow application server that are inconsistent with normal AI workflow operations
Detection logic: Matches Python/uvicorn parent processes with Langflow in the command line spawning shells, network tools, or file access utilities with suspicious arguments
Level: Critical
False positives: Langflow workflows that legitimately spawn system commands (should be audited and allowlisted)

LANGFLOW-003: CSV Agent Dangerous Code Configuration

Rule ID: raxe-langflow-003
Type: Application-level (configuration monitoring)
Purpose: Detects Langflow flow configurations or API requests that enable dangerous code capabilities in agent components — identifying vulnerable configurations before exploitation
Detection logic: Matches flow configuration events containing references to dangerous code parameters or related framework components
Level: High
False positives: Intentional use for trusted internal workflows (should be documented and risk-accepted)

Detection & Mitigation

Detection Approach

A three-layer detection strategy is recommended:

Network layer (LANGFLOW-001): Monitor HTTP requests to Langflow API endpoints for prompt injection patterns. This provides the earliest detection opportunity, identifying attack attempts before code execution.
Host layer (LANGFLOW-002): Monitor the Langflow process for anomalous child process spawning. This detects successful exploitation by identifying unexpected system-level activity.
Configuration layer (LANGFLOW-003): Audit Langflow flow configurations for dangerous code capabilities. This provides preventive detection by identifying vulnerable configurations before exploitation occurs.

Remediation Steps

Immediate: Upgrade Langflow to version 1.8.0 or later (NVD).
Immediate: Disable the CSV Agent component if not required in your deployment.
Immediate: Restrict network access to Langflow instances — do not expose to untrusted networks or unauthenticated users.
Short-term: Audit AI agent configurations for dangerous code capabilities across all deployed AI workflows, not just Langflow.
Short-term: Deploy detection signatures (LANGFLOW-001 through LANGFLOW-003) in your SIEM and endpoint monitoring tools.
Medium-term: Review AI agent security architecture to ensure all code execution is properly sandboxed, regardless of the agent framework.

Indicators of Compromise

Type	Indicator	Context
Behavioural	Prompt injection patterns in requests to Langflow API endpoints	Attack attempt (pre-exploitation)
Behavioural	Langflow process spawning shell processes (sh, bash) with suspicious arguments	Successful exploitation indicator
Behavioural	Network connections initiated by the Langflow process to unexpected destinations	Post-exploitation lateral movement or data exfiltration
Behavioural	File access by Langflow process outside expected working directories	Post-exploitation credential harvesting
Configuration	Dangerous code capabilities enabled in Langflow flow configurations	Vulnerable configuration (pre-exploitation)
Network	HTTP POST requests to `/api/v1/run` or `/api/v1/process` with abnormally large or encoded payloads	Potential prompt injection delivery

Strategic Context

CVE-2026-27966 represents a significant development in the AI security threat landscape for several reasons:

Prompt injection to RCE represents what RAXE Labs assesses as the canonical AI-native attack chain. This vulnerability demonstrates the complete progression from prompt injection (an AI-native attack vector mapped to MITRE ATLAS AML.T0051.000) to full system compromise via code execution (a traditional security impact). This attack chain is assessed as the most significant risk facing organisations deploying AI agents with tool access (assessment).

The LangChain ecosystem has significant adoption (RAXE assessment). Langflow provides a visual builder on top of LangChain, a prominent AI agent framework. The vulnerability highlights a design challenge inherent to AI agent platforms: balancing functionality (code execution for data analysis) with security (sandboxing to prevent abuse). This tension is not unique to Langflow; it affects any AI agent framework that grants code execution capabilities.

Systemic pattern applicability. The root cause — an AI agent executing LLM-generated code without adequate sandboxing — is a design pattern repeated across multiple AI agent frameworks. Detection rules developed for this vulnerability have broad applicability to other platforms exhibiting the same pattern.

No-authentication attack profile raises the stakes. The CVSS 9.8 score (no auth, no interaction, network vector) means any internet-exposed Langflow deployment with the CSV Agent component enabled is a viable target (NVD). This underscores the importance of network segmentation and authentication controls for AI agent deployments, even when the platform itself does not enforce them.

References

CVE-2026-27966 (NVD) — Langflow CSV Agent RCE, CVSS 9.8, CWE-94
GHSA-3645-fxcv-hqr4 — Langflow CSV Agent Vulnerability Advisory
Fix commit d8c6480 — Langflow patch for CVE-2026-27966
MITRE ATLAS: AML.T0051.000 — LLM Prompt Injection (Direct)
CWE-94: Improper Control of Generation of Code