CVE-2026-33873

Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.9.0

Description Langflow's Agentic Assistant feature, prior to version 1.9.0, executes LLM-generated Python code during validation. This implementation allows for arbitrary server-side Python execution if an attacker can access the Agentic Assistant feature and influence the model output. The vulnerable code path involves processing model output through a chain that ultimately invokes create class(), which dynamically executes Python code using exec(). The affected endpoints include /api/v1/login and the assistant feature relies on user authentication via bearer token, cookie, or API key. Default deployment settings, such as AUTO LOGIN=true and the /api/v1/auto login endpoint, may widen exposure. The issue is an authenticated code execution vulnerability, with severity depending on the deployment model.

Recommendations Versions prior to 1.9.0 should be updated to version 1.9.0 or later.