Skip to main content

Python CVE-2026-33873

CRITICAL
Code Injection (CWE-94)
2026-03-26 https://github.com/langflow-ai/langflow GHSA-v8hw-mh8c-jxfc
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 26, 2026 - 18:45 vuln.today
CVE Published
Mar 26, 2026 - 18:31 nvd
CRITICAL 9.3

DescriptionGitHub Advisory

Description

1. Summary

The Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component code, the implementation reaches dynamic execution sinks and instantiates the generated class server-side.

In deployments where an attacker can access the Agentic Assistant feature and influence the model output, this can result in arbitrary server-side Python execution.

2. Description

2.1 Intended Functionality

The Agentic Assistant endpoints are designed to help users generate and validate components for a flow. Users can submit requests to the assistant, which returns candidate component code for further processing.

A reasonable security expectation is that validation should treat model output as untrusted text and perform only static or side-effect-free checks.

The externally reachable endpoints are:

https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/api/router.py#L252-L297

The request model accepts attacker-influenceable fields such as input_value, flow_id, provider, model_name, session_id, and max_retries:

https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/api/schemas.py#L20-L31

2.2 Root Cause

In the affected code path, Langflow processes model output through the following chain:

/assistexecute_flow_with_validation()execute_flow_file() → LLM returns component code → extract_component_code()validate_component_code()create_class() → generated class is instantiated

The assistant service reaches the validation path here:

https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L58-L79

The code extraction step occurs here:

https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/helpers/code_extraction.py#L11-L53

The validation entry point is here:

https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/helpers/validation.py#L27-L47

The issue is that this validation path is not purely static. It ultimately invokes create_class() in lfx.custom.validate, where Python code is dynamically executed via exec(...), including both global-scope preparation and class construction.

https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L241-L272

https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L394-L399

https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L441-L443

As a result, LLM-generated code is treated as executable Python rather than inert data. This means the “validation” step crosses a trust boundary and becomes an execution sink.

The streaming path can also reach this sink when the request is classified into the component-generation branch:

https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L142-L156

https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L259-L300

3. Proof of Concept (PoC)

  1. Send a request to the Agentic Assistant endpoint.
  2. Provide input that causes the model to return malicious component code.
  3. The returned code reaches the validation path.
  4. During validation, the server dynamically executes the generated Python.
  5. Arbitrary server-side code execution occurs.

4. Impact

  • Attackers who can access the Agentic Assistant feature and influence model output may execute arbitrary Python code on the server.
  • This can lead to:
  • OS command execution
  • file read/write
  • credential or secret disclosure
  • full compromise of the Langflow process

5. Exploitability Notes

This issue is most accurately described as an authenticated or feature-reachable code execution vulnerability, rather than an unconditional unauthenticated remote attack.

Severity depends on deployment model:

  • In local-only, single-user development setups, the issue may be limited to self-exposure by the operator.
  • In shared, team, or internet-exposed deployments, it may be exploitable by other users or attackers who can reach the assistant feature.

The assistant feature depends on an active user context:

https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/api/utils/core.py#L38

Authentication sources include bearer token, cookie, or API key:

https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/services/auth/utils.py#L39-L53

https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/services/auth/utils.py#L156-L163

Default deployment settings may widen exposure, including AUTO_LOGIN=true and the /api/v1/auto_login endpoint:

https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/services/settings/auth.py#L71-L87

https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/api/v1/login.py#L96-L135

6. Patch Recommendation

  • Remove all dynamic execution from the validation path.
  • Ensure validation is strictly static and side-effect-free.
  • Treat all LLM output as untrusted input.
  • If code generation must be supported, require explicit approval and run it in a hardened sandbox isolated from the main server process.

Discovered by: @kexinoh (https://github.com/kexinoh, works at Tencent Zhuque Lab)

AnalysisAI

Langflow's Agentic Assistant feature executes LLM-generated Python code server-side during component validation, enabling arbitrary code execution when attackers can influence model outputs. The vulnerability affects the pip package 'langflow' and exists in endpoints /assist and streaming paths that invoke exec() on dynamically generated component code. A proof-of-concept exists demonstrating the execution chain from user input through validation to code execution. Authentication requirements depend on deployment configuration, with AUTO_LOGIN=true defaults potentially widening exposure. No public exploit identified at time of analysis beyond the documented PoC, though the technical details and code references provide a complete exploitation blueprint.

Technical ContextAI

The vulnerability is classified as CWE-94 (Improper Control of Generation of Code / Code Injection) affecting the Python package langflow (CPE: pkg:pip/langflow). Langflow's Agentic Assistant is designed to help users generate workflow components via LLM interactions. The root cause stems from the validate_component_code() function treating model-generated output as trusted input rather than untrusted data. During validation, the code path reaches create_class() in lfx.custom.validate, which uses Python's exec() primitive to dynamically execute the generated component code including global-scope preparation and class instantiation. This violates the security boundary between validation (which should be static and side-effect-free) and execution. The assistant endpoints accept attacker-influenceable parameters including input_value, flow_id, provider, model_name, session_id, and max_retries, all of which can be leveraged to manipulate LLM output toward generating malicious component code that will be executed during the validation phase.

RemediationAI

Remove all dynamic execution from the validation code path and ensure validation remains strictly static and side-effect-free as recommended in the patch guidance. Treat all LLM-generated output as untrusted input requiring sanitization before any processing. If code generation functionality is business-critical, implement explicit user approval workflows and execute generated code in hardened sandboxes isolated from the main server process with restricted filesystem, network, and system call access. Until vendor patches are available, disable the Agentic Assistant feature entirely if not operationally required. For deployments that must retain assistant functionality, disable AUTO_LOGIN by setting the environment variable to false, enforce strict authentication controls, restrict network access to the /assist and assistant streaming endpoints using firewall rules or reverse proxy ACLs limiting access to trusted IP ranges only, and implement comprehensive logging of all assistant API requests for detection of exploitation attempts. Monitor the official advisory at https://github.com/langflow-ai/langflow/security/advisories/GHSA-v8hw-mh8c-jxfc for vendor-released patches and upgrade immediately when available. Organizations should audit their deployment configurations for permissive authentication settings and harden accordingly.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-33873 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy