What is CVE-2026-33475?

CVE-2026-33475 is a critical-severity vulnerability in Langflow-ai Langflow, classified under Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection). CVSS score: 9.1/10. Published 2026-03-24.

How severe is CVE-2026-33475?

Critical severity. CVSS v3 base score is 9.1 out of 10.

RCE in Langflow-ai Langflow

CVE-2026-33475

Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitiz…

EPSS: 0.001 (23.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.

Affected products

Langflow-ai Langflow — versions < 1.9.0

Weakness classification (CWE)

References

https://github.com/langflow-ai/langflow/security/advisories/GHSA-87cc-65ph-2j4w (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-33475?: CVE-2026-33475 is a critical-severity vulnerability in Langflow-ai Langflow, classified under Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection). CVSS score: 9.1/10. Published 2026-03-24.
How severe is CVE-2026-33475?: Critical severity. CVSS v3 base score is 9.1 out of 10.