CVE-2026-33475 is a critical shell injection vulnerability identified in the Langflow project, a tool for building AI-powered agents and workflows. The root cause is the improper neutralization of special elements (CWE-74) in GitHub Actions workflows, specifically the direct interpolation of untrusted GitHub context variables such as `${{ github.head_ref }}` or `${{ github.event.pull_request.title }}` inside `run:` steps without sanitization or quoting. Since branch names and pull request titles are user-controlled inputs, malicious actors can create branches or PRs with specially crafted names containing shell commands. When the GitHub Actions workflow runs, these commands are executed in the CI environment. This allows attackers to execute arbitrary shell commands remotely without authentication, leading to potential exfiltration of CI secrets like `GITHUB_TOKEN`, unauthorized infrastructure manipulation, pushing malicious tags or images, tampering with releases, or leaking sensitive data. The vulnerability affects multiple workflow files and actions in Langflow versions prior to 1.9.0, including `.github/actions/install-playwright/action.yml` and various `.github/workflows/*.yml` files. The recommended remediation is to avoid direct interpolation of user-controlled variables in shell commands. Instead, workflows should assign these values to environment variables and use double quotes to ensure proper escaping and prevent injection. The vulnerability has a CVSS v3.1 score of 9.1 (critical), reflecting its ease of exploitation (no authentication or user interaction required), high impact on confidentiality and integrity, and broad scope affecting any public Langflow fork with GitHub Actions enabled. No known exploits in the wild have been reported yet, but the risk is significant given the potential for supply chain compromise.

The impact of CVE-2026-33475 is severe for organizations using Langflow or its forks with GitHub Actions enabled. Exploitation allows unauthenticated attackers to execute arbitrary shell commands in the CI environment, leading to full compromise of CI secrets such as `GITHUB_TOKEN`. This token often grants permissions to push code, create releases, or access other repository resources, enabling attackers to tamper with the software supply chain by injecting malicious code, pushing compromised artifacts, or altering deployment pipelines. The breach of confidentiality can expose sensitive infrastructure details and credentials. Integrity is compromised as attackers can manipulate build and release processes. Although availability impact is low, the overall effect on trustworthiness and security of the development lifecycle is critical. Organizations relying on Langflow for AI workflows or integrating it into their CI/CD pipelines face risks of supply chain attacks, data leaks, and unauthorized infrastructure access. Public forks and open-source contributors are particularly vulnerable since the attack vector leverages user-controlled inputs like branch names and PR titles. This vulnerability underscores the importance of secure CI/CD practices and input sanitization in automated workflows.

To mitigate this vulnerability, organizations and developers should immediately upgrade Langflow to version 1.9.0 or later, where the issue is patched. For existing workflows, refactor GitHub Actions to avoid direct interpolation of user-controlled variables in `run:` shell commands. Instead, assign these variables to environment variables and use double quotes to ensure proper escaping, for example: ```yaml env: BRANCH_NAME: ${{ github.head_ref }} run: | echo "Branch is: \"$BRANCH_NAME\"" ``` Additionally, implement the following best practices: - Validate and sanitize all user inputs, including branch names and PR titles, before usage in workflows. - Restrict permissions of CI tokens like `GITHUB_TOKEN` to the minimum necessary scope. - Monitor GitHub Actions logs and workflow runs for unusual activity or unexpected commands. - Use branch protection rules and require code reviews to reduce risk from malicious branches. - Consider isolating sensitive workflows or secrets from public forks or untrusted contributors. - Regularly audit CI/CD pipelines for injection risks and update dependencies promptly. These steps help prevent injection attacks and protect the integrity of the software supply chain.