Critical GitHub Actions shell injection fixed in Langflow workflows

TL;DR — Unsafely interpolated GitHub context variables in Langflow’s GitHub Actions can be turned into shell injection, enabling attacker-controlled command execution and CI secret exfiltration.

What happened

Langflow is a tool for building and deploying AI-powered agents and workflows. CVE-2026-33475 reports an unauthenticated remote shell injection vulnerability in multiple GitHub Actions workflows in the Langflow repository, caused by unsanitized interpolation of GitHub context variables (e.g., ${{ github.head_ref }}) inside run: steps.

Per the CVE record, an attacker can inject and execute arbitrary shell commands via a malicious branch name or pull request title, which can lead to secret exfiltration (including GITHUB_TOKEN), infrastructure manipulation, and downstream supply-chain risk during CI/CD execution. The CVE includes a step-by-step PoC scenario (fork → malicious branch name → open PR → workflow executes injected shell commands) and is scored CVSS v3.1 9.1 (Critical).

This is a high-impact pattern for platform teams because workflow command injection can collapse the trust boundary between “untrusted PR metadata” and “runner with credentials,” and it commonly becomes a pivot into release tampering or credential harvesting.

Who is impacted

• The Langflow repository’s GitHub Actions workflows prior to the vendor’s patched release.
• Any public forks of Langflow with GitHub Actions enabled that run the affected workflows on attacker-influenced inputs (e.g., PR titles / branch names).

The CVE description calls out impacted workflow/action locations including .github/workflows/ and .github/actions/.

What to do now

• Follow vendor remediation guidance and apply the latest patched release available at the time of writing (the CVE states 1.9.0 patches the issue).
• If you maintain forks or internal mirrors, audit your GitHub Actions for direct interpolation of untrusted GitHub context/inputs inside run: steps and apply the source’s recommended mitigation:

  "Refactor affected workflows to use environment variables and wrap them in double quotes"

• Preserve the source’s key rule in workflow review checklists:

  "Avoid direct ${{ ... }} interpolation inside run: for any user-controlled value."

• Treat this as a CI trust-boundary incident class: if you suspect exposure, review recent workflow runs that processed attacker-controlled refs/titles and rotate secrets that may have been accessible to the runner (e.g., GITHUB_TOKEN).