The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33873

CVE-2026-33873: Langflow Agentic Assistant RCE Vulnerability

CVE-2026-33873 is a remote code execution flaw in Langflow Agentic Assistant that executes LLM-generated Python code server-side. Attackers can exploit this to achieve arbitrary code execution. Fixed in version 1.9.0.

Published: April 2, 2026

CVE-2026-33873 Overview

CVE-2026-33873 is a critical code injection vulnerability in Langflow, a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.0, the Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component code, the implementation reaches dynamic execution sinks and instantiates the generated class server-side. In deployments where an attacker can access the Agentic Assistant feature and influence the model output, this can result in arbitrary server-side Python execution.

Critical Impact

Attackers with access to the Agentic Assistant feature can achieve arbitrary Python code execution on the server by manipulating LLM-generated code during the validation phase, potentially leading to complete system compromise.

Affected Products

  • Langflow versions prior to 1.9.0
  • Langflow Agentic Assistant feature
  • Langflow deployments with accessible AI assistant endpoints

Discovery Timeline

  • 2026-03-27 - CVE-2026-33873 published to NVD
  • 2026-03-30 - Last updated in NVD database

Technical Details for CVE-2026-33873

Vulnerability Analysis

This vulnerability represents a critical code injection flaw (CWE-94) in Langflow's Agentic Assistant feature. The core issue lies in how the application handles LLM-generated Python code during what should be a validation-only phase. Instead of safely analyzing the generated code, the validation process dynamically executes the code and instantiates generated classes on the server.

The attack surface is particularly dangerous because it involves AI-generated content that can be influenced by an attacker. By crafting specific prompts or manipulating the context provided to the LLM, an attacker can cause the model to generate malicious Python code that will be executed during the validation phase. This creates a novel attack vector where traditional input validation may be insufficient, as the malicious payload is generated by the AI model itself.

The vulnerability is network-accessible and requires only low privileges to exploit, making it particularly concerning for internet-facing Langflow deployments. Successful exploitation can lead to complete compromise of confidentiality and integrity on both the vulnerable system and potentially connected systems.

Root Cause

The root cause of this vulnerability stems from unsafe dynamic code execution within the validation pipeline. The validation code and code extraction helpers process LLM-generated code and pass it to execution sinks. The assistant service orchestrates this flow, ultimately instantiating the generated class rather than performing static analysis or sandboxed validation.

The fundamental security flaw is treating validation as requiring execution. Proper code validation should use static analysis techniques, Abstract Syntax Tree (AST) parsing, or sandboxed environments rather than direct execution in the application context.

Attack Vector

The attack is executed over the network by an authenticated user with access to the Agentic Assistant feature. The attacker exploits the vulnerability through the following mechanism:

  1. The attacker accesses the Agentic Assistant API endpoint exposed via the router
  2. Through prompt manipulation or context injection, the attacker influences the LLM to generate malicious Python code
  3. When the system attempts to validate the generated component code, it executes the malicious payload
  4. The attacker achieves arbitrary Python code execution on the server with the privileges of the Langflow application

The attack requires no user interaction beyond the attacker's own authentication, and the low attack complexity makes this vulnerability particularly dangerous. For detailed technical information, refer to the GitHub Security Advisory GHSA-v8hw-mh8c-jxfc.

Detection Methods for CVE-2026-33873

Indicators of Compromise

  • Unusual Python process spawning from the Langflow application
  • Unexpected network connections originating from the Langflow server
  • Suspicious file system modifications in the application directory or system paths
  • Anomalous API requests to the Agentic Assistant endpoints with unusual payloads or encoding

Detection Strategies

  • Monitor Langflow application logs for validation errors or exceptions related to code execution
  • Implement network traffic analysis to detect unusual outbound connections from Langflow servers
  • Deploy endpoint detection and response (EDR) solutions to identify malicious process behavior
  • Review audit logs for unusual patterns in Agentic Assistant feature usage

Monitoring Recommendations

  • Enable verbose logging for the Agentic Assistant feature and monitor for code execution patterns
  • Configure alerts for any Python subprocess execution initiated by the Langflow application
  • Monitor system resource usage for unexpected CPU or memory spikes during validation operations
  • Track authentication events and correlate with Agentic Assistant API access patterns

How to Mitigate CVE-2026-33873

Immediate Actions Required

  • Upgrade Langflow to version 1.9.0 or later immediately
  • If immediate upgrade is not possible, disable or restrict access to the Agentic Assistant feature
  • Implement network segmentation to limit the blast radius of potential exploitation
  • Review access controls and restrict Agentic Assistant feature to trusted users only

Patch Information

Version 1.9.0 of Langflow addresses this vulnerability. Organizations should prioritize upgrading to this version or later. The patch modifies the validation logic to prevent dynamic execution of LLM-generated code. Review the GitHub Security Advisory for complete patch details and upgrade instructions.

Workarounds

  • Disable the Agentic Assistant feature entirely if not required for operations
  • Implement strict network access controls to limit who can reach the Agentic Assistant API
  • Deploy a Web Application Firewall (WAF) with rules to inspect and filter suspicious requests to Langflow endpoints
  • Run Langflow in a containerized or sandboxed environment with minimal privileges and restricted system access
bash
# Example: Restrict access to Agentic Assistant endpoint via nginx
location /api/v1/agentic {
    # Allow only internal/trusted networks
    allow 10.0.0.0/8;
    allow 192.168.0.0/16;
    deny all;
    
    proxy_pass http://langflow_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechLangflow
  • SeverityCRITICAL
  • CVSS Score9.3
  • EPSS Probability0.09%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-94
  • Technical References
  • GitHub LangFlow Router Code
  • GitHub LangFlow Schemas Code
  • GitHub LangFlow Code Extraction
  • GitHub LangFlow Validation Code
  • GitHub LangFlow Assistant Service
  • GitHub LangFlow Assistant Service
  • GitHub LangFlow Assistant Service
  • GitHub LangFlow Core Utilities
  • GitHub LangFlow Login Logic
  • GitHub LangFlow Auth Utilities
  • GitHub LangFlow Auth Utilities
  • GitHub LangFlow Custom Validation
  • GitHub LangFlow Custom Validation
  • GitHub LangFlow Custom Validation
  • GitHub LangFlow Auth Settings
  • GitHub Security Advisory GHSA-v8hw-mh8c-jxfc
  • Related CVEs
  • CVE-2026-33017: Langflow Langflow RCE Vulnerability
  • CVE-2026-33309: Langflow Arbitrary File Write RCE Flaw
  • CVE-2026-33475: Langflow GitHub Actions RCE Vulnerability
  • CVE-2026-27966: Langflow CSV Agent Node RCE Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English