Platform
python
Component
langflow
Fixed in
1.9.1
1.9.0
CVE-2026-33873 is a critical Remote Code Execution (RCE) vulnerability affecting Langflow versions up to 1.9.0. The Agentic Assistant feature, designed for validating generated component code, suffers from a flaw that allows attackers to trigger arbitrary server-side Python execution. This vulnerability poses a significant risk to deployments where an attacker can manipulate the model's output, potentially leading to complete system compromise. A fix is available in version 1.9.0.
The impact of CVE-2026-33873 is severe. An attacker who can influence the model output within the Agentic Assistant feature can inject malicious Python code. This code will be executed on the server during the validation phase, granting the attacker arbitrary code execution capabilities. This can lead to complete system compromise, including data exfiltration, malware installation, and lateral movement within the network. The ability to execute arbitrary code bypasses standard security controls and allows for a wide range of malicious activities. The vulnerability's reliance on model output manipulation makes it particularly concerning in environments where AI models are exposed to untrusted input.
CVE-2026-33873 was publicly disclosed on 2026-03-27. Currently, there are no known public proof-of-concept exploits. The EPSS score is likely to be assessed as medium to high due to the critical CVSS score and the potential for complete system compromise. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33873 is to immediately upgrade Langflow to version 1.9.0 or later. If upgrading is not immediately feasible, consider implementing strict input validation and sanitization on the model's input to prevent malicious code injection. Additionally, restrict access to the Agentic Assistant feature to trusted users only. Monitor server logs for suspicious Python code execution patterns. While a WAF might offer some protection, it is unlikely to be effective against this type of vulnerability due to the dynamic nature of the code execution. There are no specific Sigma or YARA rules available at this time, but monitoring for unusual Python process activity is recommended.
Update Langflow to version 1.9.0 or higher. This version corrects the arbitrary code execution vulnerability during Agentic Assistant validation. The update will prevent an attacker from executing malicious Python code on the server.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33873 is a critical Remote Code Execution vulnerability in Langflow versions up to 1.9.0. It allows attackers to execute arbitrary Python code on the server through the Agentic Assistant feature if they can influence the model output.
You are affected if you are using Langflow version 1.9.0 or earlier and the Agentic Assistant feature is accessible and potentially influenced by untrusted input.
Upgrade Langflow to version 1.9.0 or later to remediate the vulnerability. If upgrading is not immediately possible, implement strict input validation and restrict access to the Agentic Assistant feature.
As of the current disclosure date, there are no known public exploits or confirmed active exploitation campaigns for CVE-2026-33873.
Refer to the Langflow project's official website and security advisories for the latest information and updates regarding CVE-2026-33873.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.