CVE-2026-33475: Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection
Summary
Langflow versions before 1.9.0 have a shell injection vulnerability in GitHub Actions workflows where unsanitized GitHub context variables (like branch names and pull request titles) are directly inserted into shell commands, allowing attackers to execute arbitrary commands and steal secrets like the GITHUB_TOKEN by creating a malicious branch or pull request. This vulnerability can lead to secret theft, infrastructure manipulation, or supply chain compromise during CI/CD (continuous integration/continuous deployment, the automated testing and deployment process) execution.
Solution / Mitigation
Upgrade to version 1.9.0, which patches the vulnerability. Additionally, the source recommends refactoring affected workflows to use environment variables with double quotes instead of direct interpolation: assign the GitHub context variable to an environment variable first (e.g., `env: BRANCH_NAME: ${{ github.head_ref }}`), then reference it in `run:` steps with double quotes (e.g., `echo "Branch is: \"$BRANCH_NAME\""`), and avoid direct `${{ ... }}` interpolation inside `run:` for any user-controlled values.
Vulnerability Details
9.1(critical)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
network
low
none
none
March 24, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-33475
First tracked: March 24, 2026 at 02:07 PM
Classified by LLM (prompt v3) · confidence: 95%