How severe is CVE-2026-27966?

CVE-2026-27966 is rated critical severity with a CVSS score of 9.8 out of 10.

Is there a public proof-of-concept (PoC) for CVE-2026-27966?

Yes. Public exploit material exists via 1 GitHub PoC repository. See the references section for direct links. Treat all linked code as untrusted and use only in authorized, isolated lab environments.

What packages are affected by CVE-2026-27966?

CVE-2026-27966 affects: langflow (PyPI). Source: OSV.dev.

How do I fix CVE-2026-27966?

The vendor has published a patch — see the "Vendor Patch" link in the references section. If you cannot patch immediately, review mitigation guidance in this advisory and monitor for exploitation attempts.

Critical (9.8) Thursday, February 26, 2026

CVE-2026-27966: Langflow [PoC]

CVE-2026-27966

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in Langflow hardcodes `allow_dangerous_code=True`, which automatically exposes...

Overview

A critical security vulnerability has been identified in Langflow, a platform for building AI agents and workflows. This flaw allows an attacker to execute arbitrary commands on the server hosting the application, potentially leading to a complete system compromise.

Vulnerability Details

In Langflow versions before 1.8.0, a specific component called the “CSV Agent” node was configured with an unsafe setting. This setting automatically enabled a powerful Python execution tool without proper safeguards. Normally, such a tool would be restricted, but this misconfiguration left it fully exposed.

An attacker can exploit this by crafting a malicious input, often through a technique called “prompt injection,” into an AI agent built with the vulnerable node. This input tricks the system into passing commands directly to the underlying server. As a result, the attacker can run any Python code or operating system command with the same permissions as the Langflow application, leading to Remote Code Execution (RCE).

Impact

The impact of this vulnerability is severe (CVSS Score: 9.8/10, CRITICAL). Successful exploitation grants an attacker the ability to:

Steal, modify, or delete sensitive data from the server.
Install malware or ransomware.
Use the compromised server to attack other internal systems.
Disrupt operations by shutting down services.

Any Langflow instance using the CSV Agent node from a version prior to 1.8.0 is at risk if its agents are exposed to untrusted user input.

Remediation and Mitigation

Immediate action is required to secure affected systems.

Primary Fix: Upgrade The definitive solution is to upgrade Langflow to version 1.8.0 or later. This version removes the dangerous hardcoded setting, properly securing the CSV Agent node.

Check your current Langflow version.
Follow the official upgrade procedures to update to version 1.8.0 or the latest stable release.

Temporary Mitigation (If Immediate Upgrade is Not Possible) If you cannot upgrade immediately, take these steps to reduce risk:

Disable or Remove the CSV Agent Node: Review all deployed workflows and remove any instances of the CSV Agent node. Replace its functionality with alternative, secure nodes if necessary.
Restrict Access: Ensure Langflow’s interface and API are not exposed to the public internet. Place the application behind strict network firewalls and enforce strong authentication.
Audit Logs: Closely monitor application and system logs for any unusual command execution or unexpected process activity.

After applying mitigations, plan for a permanent upgrade as soon as possible.

Never miss a critical vulnerability

Get real-time security alerts delivered to your preferred platform.

Telegram LinkedIn Mastodon Bluesky

Am I Affected by CVE-2026-27966?

Pick an ecosystem, paste your installed version, and we'll compare it against the fixed version published on OSV.dev. Browser-only — nothing is sent to a server.

Heuristic comparison only. Always cross-check against the vendor advisory before making patching decisions.

Public PoC References

Unverified third-party code

These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).

Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.

Repository	Stars	Last Push
Anon-Cyber-Team/CVE-2026-27966--RCE-in-Langflow Exploit Tools For new CVE	★ 1	2026-03-06

Showing 1 of 1 known references. Source: nomi-sec/PoC-in-GitHub.

Related Advisories

Critical (10.0) Apr 7

CVE-2026-39337

ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to in...

Critical (9.8) Apr 1

CVE-2026-29014

MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP...

Critical (9.1) Mar 27

CVE-2026-27876

A chained attack via SQL Expressions and a Grafana Enterprise plugin can lead to a remote arbitrary code execution impact (RCE). This is enabled by a feature in Grafana (OSS), so all users are always ...

Critical (9.8) Mar 27

CVE-2026-33937

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pre-parsed AST object in addition to a template string....