Critical Flaw in Langflow's AI Agent Opens Root Shell

The vulnerability, identified as CVE-2026-27966, stems from a single hardcoded parameter within the CSV Agent's source code. Specifically, the `allow_dangerous_code` setting was permanently switched to `True`, a practice that violates secure-by-default design principles. This insecure configuration creates an open door for attackers. This flaw directly exposes LangChain's Python REPL (Read-Eval-Print Loop) tool, known as `python_repl_ast`. With this tool accessible, there is no effective barrier between user-submitted prompts and the server's underlying operating system, allowing for arbitrary code to be run. Exploitation of this vulnerability is executed through prompt injection. An attacker can craft a malicious input that instructs the Large Language Model to use the exposed `python_repl_ast` tool, which then executes system-level commands on the server. This can include anything from reading sensitive files to deploying malware. The issue was first brought to light by security researcher Empreiteiro on February 25, 2026. The vulnerability affects all Langflow versions prior to 1.6.9. A patch has been made available in version 1.8.0, which remediates the issue by changing the dangerous default setting.