CVE-2026-33017

Confirmed PUBLISHED

Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint

langflow-ai · langflow

1 day faster than CISA KEV

Exploited in the wild Active exploitation observed PoC available

Recommended Action

Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.

Confidence
Confirmed
Exploitation Status
Active exploitation observed
Observed in Sensors
Yes
Attempts (30d)
2
Unique Attacker IPs
1
CISA KEV
In CISA KEV
CVSS / EPSS
9.3 Critical EPSS 98.2%

At a Glance

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

nuclei_scanner cisa python
CVE Published
Mar 20, 2026
Exploitation Reported
Jun 01, 2026
CVSS
9.3 Critical
EPSS
98.2%
Remote Low complexity No user interaction Unauthenticated

Affected Versions

Vendor Product Version Status
langflow-ai
langflow

< 1.9.0

Affected

CVE References

Recommended Actions

  • Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.
  • Review sensor telemetry for request paths, attacker IPs, and payload patterns that may inform detection and exposure validation.
  • Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.