CVE-2026-33873: CWE-94: Improper Control of Generation of Code ('Code Injection') in langflow-ai langflow
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component code, the implementation reaches dynamic execution sinks and instantiates the generated class server-side. In deployments where an attacker can access the Agentic Assistant feature and influence the model output, this can result in arbitrary server-side Python execution. Version 1.9.0 fixes the issue.
AI Analysis
Technical Summary
CVE-2026-33873 affects langflow-ai's langflow product in versions before 1.9.0. The Agentic Assistant feature dynamically executes Python code generated by a large language model during its validation phase. Because this execution occurs server-side and the generated code is instantiated, an attacker able to influence the model output can achieve arbitrary code execution on the server. This represents an improper control of code generation (CWE-94). The vulnerability has a CVSS 4.0 score of 9.3, indicating critical severity. Version 1.9.0 of langflow addresses this issue.
Potential Impact
Successful exploitation allows an attacker with access to the Agentic Assistant feature to execute arbitrary Python code on the server hosting langflow. This can lead to full compromise of the server environment, data exposure, and further attacks. The vulnerability is critical due to its remote network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Upgrade langflow to version 1.9.0 or later, where this vulnerability is fixed. No other official mitigations are indicated. Patch status is confirmed by the vendor's versioning information. Users should not use versions prior to 1.9.0 in environments where untrusted users can access the Agentic Assistant feature.
CVE-2026-33873: CWE-94: Improper Control of Generation of Code ('Code Injection') in langflow-ai langflow
Description
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component code, the implementation reaches dynamic execution sinks and instantiates the generated class server-side. In deployments where an attacker can access the Agentic Assistant feature and influence the model output, this can result in arbitrary server-side Python execution. Version 1.9.0 fixes the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-33873 affects langflow-ai's langflow product in versions before 1.9.0. The Agentic Assistant feature dynamically executes Python code generated by a large language model during its validation phase. Because this execution occurs server-side and the generated code is instantiated, an attacker able to influence the model output can achieve arbitrary code execution on the server. This represents an improper control of code generation (CWE-94). The vulnerability has a CVSS 4.0 score of 9.3, indicating critical severity. Version 1.9.0 of langflow addresses this issue.
Potential Impact
Successful exploitation allows an attacker with access to the Agentic Assistant feature to execute arbitrary Python code on the server hosting langflow. This can lead to full compromise of the server environment, data exposure, and further attacks. The vulnerability is critical due to its remote network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Upgrade langflow to version 1.9.0 or later, where this vulnerability is fixed. No other official mitigations are indicated. Patch status is confirmed by the vendor's versioning information. Users should not use versions prior to 1.9.0 in environments where untrusted users can access the Agentic Assistant feature.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-24T15:10:05.679Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69c6e8bb3c064ed76ff077be
Added to database: 3/27/2026, 8:29:47 PM
Last enriched: 4/4/2026, 6:40:06 AM
Last updated: 5/11/2026, 10:07:34 AM
Views: 145
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.