PyPI: langflow
CVE-2026-33873
Safety vulnerability ID: SFTY-20260326-09795
Safety legacy ID: pyup.io-90736
Affected versions of the langflow package are vulnerable to Code Injection due to unsafe dynamic execution of LLM-generated Python code during Agentic Assistant validation. The /assist validation flow reaches execute_flow_with_validation(), execute_flow_file(), extract_component_code(), and validate_component_code(), which ultimately call create_class() in lfx.custom.validate, where the generated code is executed with exec(...) and the resulting class is instantiated server-side instead of being treated as untrusted text.
Overview
Langflow has Authenticated Code Execution in Agentic Assistant Validation
Advisory
Affected versions of the langflow package are vulnerable to Code Injection due to unsafe dynamic execution of LLM-generated Python code during Agentic Assistant validation. The /assist validation flow reaches execute_flow_with_validation(), execute_flow_file(), extract_component_code(), and validate_component_code(), which ultimately call create_class() in lfx.custom.validate, where the generated code is executed with exec(...) and the resulting class is instantiated server-side instead of being treated as untrusted text.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260326-09795/CVE-2026-33873
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33873
- https://github.com/advisories/GHSA-v8hw-mh8c-jxfc
- https://pypi.org/project/langflow
- https://github.com/langflow-ai/langflow/security/advisories/GHSA-v8hw-mh8c-jxfc
- https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/api/router.py#L252-L297
- https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/api/schemas.py#L20-L31
- https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/helpers/code_extraction.py#L11-L53
- https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/helpers/validation.py#L27-L47
- https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L142-L156
- https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L259-L300
- https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/agentic/services/assistant_service.py#L58-L79
- https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/api/utils/core.py#L38
- https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/api/v1/login.py#L96-L135
- https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/services/auth/utils.py#L156-L163
- https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/backend/base/langflow/services/auth/utils.py#L39-L53
- https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L241-L272
- https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L394-L399
- https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/custom/validate.py#L441-L443
- https://github.com/langflow-ai/langflow/blob/f7f4d1e70ba5eecd18162ec96f3571c2cfbcd1fc/src/lfx/src/lfx/services/settings/auth.py#L71-L87
- https://nvd.nist.gov/vuln/detail/CVE-2026-33873
- https://github.com/pypa/advisory-database/tree/main/vulns/langflow/PYSEC-2026-82.yaml
- https://github.com/advisories/GHSA-v8hw-mh8c-jxfc
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more