Python
CVE-2026-33873
CRITICAL
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Description
1. Summary
The Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component code, the implementation reaches dynamic execution sinks and instantiates the generated class server-side.
In deployments where an attacker can access the Agentic Assistant feature and influence the model output, this can result in arbitrary server-side Python execution.
2. Description
2.1 Intended Functionality
The Agentic Assistant endpoints are designed to help users generate and validate components for a flow. Users can submit requests to the assistant, which returns candidate component code for further processing.
A reasonable security expectation is that validation should treat model output as untrusted text and perform only static or side-effect-free checks.
The externally reachable endpoints are:
The request model accepts attacker-influenceable fields such as input_value, flow_id, provider, model_name, session_id, and max_retries:
2.2 Root Cause
In the affected code path, Langflow processes model output through the following chain:
/assist → execute_flow_with_validation() → execute_flow_file() → LLM returns component code → extract_component_code() → validate_component_code() → create_class() → generated class is instantiated
The assistant service reaches the validation path here:
The code extraction step occurs here:
The validation entry point is here:
The issue is that this validation path is not purely static. It ultimately invokes create_class() in lfx.custom.validate, where Python code is dynamically executed via exec(...), including both global-scope preparation and class construction.
As a result, LLM-generated code is treated as executable Python rather than inert data. This means the “validation” step crosses a trust boundary and becomes an execution sink.
The streaming path can also reach this sink when the request is classified into the component-generation branch:
3. Proof of Concept (PoC)
- Send a request to the Agentic Assistant endpoint.
- Provide input that causes the model to return malicious component code.
- The returned code reaches the validation path.
- During validation, the server dynamically executes the generated Python.
- Arbitrary server-side code execution occurs.
4. Impact
- Attackers who can access the Agentic Assistant feature and influence model output may execute arbitrary Python code on the server.
- This can lead to:
- OS command execution
- file read/write
- credential or secret disclosure
- full compromise of the Langflow process
5. Exploitability Notes
This issue is most accurately described as an authenticated or feature-reachable code execution vulnerability, rather than an unconditional unauthenticated remote attack.
Severity depends on deployment model:
- In local-only, single-user development setups, the issue may be limited to self-exposure by the operator.
- In shared, team, or internet-exposed deployments, it may be exploitable by other users or attackers who can reach the assistant feature.
The assistant feature depends on an active user context:
Authentication sources include bearer token, cookie, or API key:
Default deployment settings may widen exposure, including AUTO_LOGIN=true and the /api/v1/auto_login endpoint:
6. Patch Recommendation
- Remove all dynamic execution from the validation path.
- Ensure validation is strictly static and side-effect-free.
- Treat all LLM output as untrusted input.
- If code generation must be supported, require explicit approval and run it in a hardened sandbox isolated from the main server process.
Discovered by: @kexinoh (https://github.com/kexinoh, works at Tencent Zhuque Lab)
AnalysisAI
Langflow's Agentic Assistant feature executes LLM-generated Python code server-side during component validation, enabling arbitrary code execution when attackers can influence model outputs. The vulnerability affects the pip package 'langflow' and exists in endpoints /assist and streaming paths that invoke exec() on dynamically generated component code. A proof-of-concept exists demonstrating the execution chain from user input through validation to code execution. Authentication requirements depend on deployment configuration, with AUTO_LOGIN=true defaults potentially widening exposure. No public exploit identified at time of analysis beyond the documented PoC, though the technical details and code references provide a complete exploitation blueprint.
Technical ContextAI
The vulnerability is classified as CWE-94 (Improper Control of Generation of Code / Code Injection) affecting the Python package langflow (CPE: pkg:pip/langflow). Langflow's Agentic Assistant is designed to help users generate workflow components via LLM interactions. The root cause stems from the validate_component_code() function treating model-generated output as trusted input rather than untrusted data. During validation, the code path reaches create_class() in lfx.custom.validate, which uses Python's exec() primitive to dynamically execute the generated component code including global-scope preparation and class instantiation. This violates the security boundary between validation (which should be static and side-effect-free) and execution. The assistant endpoints accept attacker-influenceable parameters including input_value, flow_id, provider, model_name, session_id, and max_retries, all of which can be leveraged to manipulate LLM output toward generating malicious component code that will be executed during the validation phase.
RemediationAI
Remove all dynamic execution from the validation code path and ensure validation remains strictly static and side-effect-free as recommended in the patch guidance. Treat all LLM-generated output as untrusted input requiring sanitization before any processing. If code generation functionality is business-critical, implement explicit user approval workflows and execute generated code in hardened sandboxes isolated from the main server process with restricted filesystem, network, and system call access. Until vendor patches are available, disable the Agentic Assistant feature entirely if not operationally required. For deployments that must retain assistant functionality, disable AUTO_LOGIN by setting the environment variable to false, enforce strict authentication controls, restrict network access to the /assist and assistant streaming endpoints using firewall rules or reverse proxy ACLs limiting access to trusted IP ranges only, and implement comprehensive logging of all assistant API requests for detection of exploitation attempts. Monitor the official advisory at https://github.com/langflow-ai/langflow/security/advisories/GHSA-v8hw-mh8c-jxfc for vendor-released patches and upgrade immediately when available. Organizations should audit their deployment configurations for permissive authentication settings and harden accordingly.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-v8hw-mh8c-jxfc