CVE-2026-27966 is a critical vulnerability classified under CWE-94 (Improper Control of Generation of Code) affecting langflow, a tool used to build and deploy AI-powered agents and workflows. Prior to version 1.8.0, the CSV Agent node in langflow hardcodes the parameter allow_dangerous_code=True. This setting exposes LangChain’s Python REPL tool (python_repl_ast), which is designed to evaluate Python code dynamically. Because this REPL is exposed without restrictions, an attacker can leverage prompt injection techniques to execute arbitrary Python code and underlying operating system commands on the server hosting langflow. The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The impact includes full remote code execution (RCE), allowing attackers to compromise confidentiality, integrity, and availability of the affected system. The vulnerability was publicly disclosed on February 26, 2026, with a CVSS v3.1 base score of 9.8, reflecting its critical severity. Although no known exploits have been observed in the wild yet, the ease of exploitation and the critical nature of the flaw necessitate immediate remediation. The issue is fixed in langflow version 1.8.0 by removing the hardcoded dangerous code execution flag, thereby preventing exposure of the Python REPL tool.

The vulnerability enables attackers to execute arbitrary code remotely on servers running vulnerable versions of langflow, potentially leading to complete system compromise. This can result in unauthorized data access, data manipulation, destruction of data, and disruption of AI workflows. Organizations relying on langflow for AI agent deployment may face operational downtime, loss of intellectual property, and exposure of sensitive information. The critical severity and lack of authentication requirements increase the risk of automated attacks and widespread exploitation. Additionally, compromised systems could be used as pivot points for lateral movement within networks, further escalating the impact. The vulnerability threatens organizations across industries adopting AI automation and workflow orchestration, especially those integrating langflow into production environments.

Immediate upgrade to langflow version 1.8.0 or later is the primary mitigation step to remove the hardcoded allow_dangerous_code=True setting. Until upgrade is possible, organizations should restrict network access to langflow instances, especially limiting exposure to untrusted networks. Implement strict input validation and sanitization on any user-supplied data that interacts with langflow workflows. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with custom rules to detect and block suspicious prompt injection patterns targeting the Python REPL. Monitor logs for unusual command execution or unexpected Python code activity. Conduct regular security audits of AI workflow tools and maintain an inventory of versions deployed. Consider isolating langflow environments using containerization or sandboxing to limit potential damage from exploitation.