The security proofs of continuous-variable quantum key distribution are based on the assumptions that the eavesdropper can neither act on the local oscillator nor control Bob's beam splitter. These assumptions may be invalid in practice due to potential imperfections in the implementations of such protocols. In this paper, we consider the problem of transmitting the local oscillator in a public channel and propose a wavelength attack which can allow the eavesdropper to control the intensity transmission of Bob's beam splitter by switching the wavelength of the input light. Specifically we target continuous-variable quantum key distribution systems that use the heterodyne detection protocol using either direct or reverse reconciliation. Our attack is proved to be feasible and renders all of the final key shared between the legitimate parties insecure, even if they have monitored the intensity of the local oscillator. To prevent our attack on commercial systems, a simple wavelength filter should be added before performing the monitoring detection.