The hardcoded enablement of dangerous code execution in Langflow's CSV Agent node allows unauthenticated attackers to execute arbitrary commands on the host server.

The CSV Agent node in Langflow hardcodes the allow_dangerous_code parameter to True, which exposes LangChain’s Python REPL tool. An unauthenticated attacker can leverage prompt injection to execute arbitrary Python and operating system commands.

A successful exploit results in full Remote Code Execution (RCE) on the underlying server, potentially leading to complete system takeover. Attackers could steal proprietary AI models, access sensitive datasets, or use the server as a pivot point for lateral movement within the corporate network. The CVSS score of 9.8 reflects the critical nature of this unauthenticated execution flaw.

Immediate Action: Upgrade Langflow to version 1.8.0 or later, which disables the dangerous default configuration.

Proactive Monitoring: Audit Langflow logs for suspicious prompt patterns or unexpected Python execution errors within the CSV Agent node.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules designed to detect and block prompt injection patterns aimed at LLM-integrated tools.

Public Exploit Available: No

The exposure of a Python REPL tool to unauthenticated input constitutes a severe security failure. Organizations utilizing Langflow must prioritize the update to version 1.8.0 to mitigate the risk of full server compromise and data exfiltration.