Langflow's CSV Agent node uses a Python code execution backend to process data — and the LLM inside the agent controls what code runs. A hardcoded configuration setting allows the model to generate and execute arbitrary Python and OS commands with no sandboxing, no allowlist, and no human review step. Researcher "Empreiteiro" disclosed this as GHSA-3645-fxcv-hqr4 on February 25, 2026.
The technical failure is a textbook confused deputy chain: the CSV parser trusts the LLM's output; the Python interpreter trusts the CSV parser; the OS trusts the interpreter. A single malformed CSV file or adversarial prompt directed at the agent is sufficient to obtain full server control.
Langflow is deployed across millions of enterprise AI pipelines as a visual workflow builder for AI agents. The combination of CVSS 10.0, publicly available PoC, and broad enterprise deployment makes this an immediate patch priority for any org running Langflow-based agents.
Immediate action: Audit all Langflow deployments for CSV Agent node usage. Isolate Langflow instances behind network controls. Apply vendor patch when available; if unavailable, disable the CSV Agent node and substitute sandboxed alternatives.