Langflow is a platform for building and deploying AI-powered agents and workflows. In versions before 1.8.0, the CSV Agent node insecurely sets allow_dangerous_code=True by default, which exposes LangChain’s python_repl_ast tool. This tool functions as a Python REPL (Read-Eval-Print Loop) environment embedded within the application, allowing execution of arbitrary Python code. Because this setting is hardcoded and exposed, an attacker can craft malicious input (prompt injection) that triggers execution of arbitrary Python code and underlying OS commands on the server hosting langflow. This leads to full remote code execution (RCE) without requiring authentication or user interaction. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code), indicating that the application improperly controls or sanitizes code generation or execution. The vulnerability was publicly disclosed on February 26, 2026, with a CVSS v3.1 score of 9.8 (critical), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and full impact on confidentiality, integrity, and availability. No known exploits in the wild have been reported yet. The issue is resolved in langflow version 1.8.0 by removing or disabling the dangerous code execution setting.

This vulnerability allows attackers to execute arbitrary code remotely on servers running vulnerable langflow versions, leading to complete system compromise. Attackers can steal sensitive data, modify or delete data, disrupt services, or use the compromised server as a foothold for further attacks within an organization’s network. Given langflow’s role in AI workflow automation, attackers could manipulate AI agents or workflows, potentially causing erroneous or malicious AI-driven actions. The lack of authentication or user interaction requirements makes exploitation straightforward, increasing the risk of widespread attacks. Organizations relying on langflow for AI deployments face risks to data confidentiality, system integrity, and operational availability, potentially resulting in financial loss, reputational damage, and regulatory consequences.

Upgrade all langflow installations to version 1.8.0 or later immediately to eliminate the vulnerability. If upgrading is not immediately possible, disable or restrict access to the CSV Agent node and the python_repl_ast tool to trusted users only, ideally isolating the service behind firewalls or network segmentation. Implement strict input validation and sanitization on all user inputs to prevent prompt injection attacks. Monitor logs for unusual command execution or access patterns indicative of exploitation attempts. Employ runtime application self-protection (RASP) or endpoint detection and response (EDR) tools to detect and block suspicious code execution. Regularly audit AI workflow configurations to ensure no unintended code execution capabilities are exposed. Finally, maintain an incident response plan to quickly address any suspected compromise.