Home / Vulnerability Intelligence / CVE-2026-27966

CVE-2026-27966 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: February 28, 2026

Langflow - Remote Code Execution

Published: February 26, 2026Updated: February 28, 2026PoC AvailableRemote Exploitable

Overview

Langflow < 1.8.0 contains a remote code execution caused by hardcoded allow_dangerous_code=True exposing LangChain's python_repl_ast tool, letting attackers execute arbitrary Python and OS commands via prompt injection.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 14.4%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary Python and OS commands on the server, leading to full remote code execution and system compromise.

Mitigation

Update to version 1.8.0 or later.

References

Social Media Activity(1 post)

Metasploit

@metasploit

Apr 24, 2026

The latest Metasploit Weekly Wrapup is here! Highlights include a new RCE exploit for Langflow (CVE-2026-27966), improved check method visibility with detailed reasoning, and updates for legacy SMB targets. Plus 3 other new modules! Read more: https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-04-25-2026/

View original post

GitHub Repositories(1 repo)

https://github.com/Anon-Cyber-Team/CVE-2026-27966--RCE-in-Langflow

Related Resources

Details

CVE ID: CVE-2026-27966
Severity: Critical
CVSS Score: 9.8
Type: remote_code_execution
Status: confirmed
EPSS: 14.4%
Social Posts: 1

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

14.4%Probability of exploitation in the next 30 days