Langflow is vulnerable to unauthenticated remote shell injection in its CI/CD pipelines, allowing attackers to steal sensitive secrets and compromise the software supply chain.

This is a shell injection vulnerability in GitHub Actions workflows. It occurs because unsanitized GitHub context variables (like github.head_ref) are directly interpolated into run: shell commands, allowing an unauthenticated attacker to execute commands by submitting a pull request with a malicious branch name.

An attacker can exfiltrate sensitive CI secrets, such as GITHUB_TOKEN, and potentially push malicious code or images to production repositories. This could lead to a massive supply chain compromise affecting all users of the Langflow product. The CVSS score of 9.1 reflects the critical risk to the integrity of the development lifecycle.

Immediate Action: Update Langflow to version 1.9.0 or later, which refactors workflows to use environment variables instead of direct interpolation.

Proactive Monitoring: Audit GitHub Actions logs for suspicious activity, such as unusual curl commands or unauthorized access to secrets in workflows triggered by external forks.

Compensating Controls: Restrict GitHub Actions permissions and require manual approval for all workflows triggered by pull requests from external contributors.

Public Exploit Available: Yes

This is a critical supply chain vulnerability. We strongly recommend that all organizations using Langflow immediately update to version 1.9.0 and rotate any secrets that may have been exposed in their CI/CD environments.