Langflow is a platform designed for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assistant feature in langflow executes Python code generated by large language models (LLMs) during its validation phase. This validation phase is intended to verify generated component code but inadvertently reaches dynamic execution sinks, instantiating the generated Python classes server-side. Because the code executed is derived from LLM output, if an attacker can influence the model's output—such as by providing crafted inputs or manipulating the environment—they can inject arbitrary Python code that runs on the server. This represents a classic code injection vulnerability categorized under CWE-94 (Improper Control of Generation of Code). The vulnerability does not require user interaction and can be exploited remotely with low attack complexity, requiring only limited privileges to access the Agentic Assistant feature. The vulnerability has been assigned CVE-2026-33873 with a CVSS 4.0 base score of 9.3, reflecting its critical severity due to high impact on confidentiality, integrity, and availability, and the broad scope of affected systems. The issue was resolved in langflow version 1.9.0 by removing or securing the dynamic execution of LLM-generated code during validation. No public exploits have been observed yet, but the nature of the vulnerability makes it a high-risk target for attackers aiming to gain full control over affected servers.

The impact of CVE-2026-33873 is severe for organizations using vulnerable versions of langflow. Successful exploitation allows attackers to execute arbitrary Python code on the server hosting langflow, potentially leading to full system compromise. This can result in unauthorized data access, data modification or destruction, deployment of malware or ransomware, lateral movement within networks, and disruption of AI workflows critical to business operations. Given langflow’s role in AI agent orchestration, compromise could also lead to manipulation of AI-driven decision-making processes, causing cascading operational and reputational damage. The vulnerability’s ease of exploitation and lack of required user interaction increase the risk of automated or targeted attacks. Organizations relying on langflow for AI deployments, especially those exposing the Agentic Assistant feature to untrusted users or networks, are at heightened risk. The absence of known exploits in the wild does not diminish the urgency, as proof-of-concept exploits could emerge rapidly given the public disclosure.

To mitigate CVE-2026-33873, organizations should immediately upgrade langflow to version 1.9.0 or later, where the vulnerability is fixed. If upgrading is not immediately feasible, restrict access to the Agentic Assistant feature to trusted users and networks only, using network segmentation, firewalls, and strong authentication controls. Disable or remove the Agentic Assistant feature if it is not essential to operations. Implement runtime application self-protection (RASP) or web application firewalls (WAFs) with custom rules to detect and block suspicious Python code execution patterns. Conduct thorough code reviews and security testing of any custom workflows or AI components integrated with langflow. Monitor logs and system behavior for unusual activity indicative of exploitation attempts. Educate developers and administrators about the risks of dynamic code execution from untrusted sources and enforce strict input validation and sanitization practices. Maintain an incident response plan tailored to AI platform compromises to enable rapid containment and recovery.