Back to KEVs

CVE-2026-33017

Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint

Basic Information

CVE State
PUBLISHED
Reserved Date
March 17, 2026
Published Date
March 20, 2026
Last Updated
May 21, 2026
Vendor
langflow-ai
Product
langflow
Description
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
Tags
cisa nuclei_scanner

CVSS Scores

CVSS v4.0

9.3 - CRITICAL

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2026-06-01 12:26:07 UTC) Source

References

https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0 https://github.com/advisories/GHSA-rvqx-wpfh-mfx7

Known Exploited Vulnerability Information

Source Added Date
CVE 2026-06-01 12:26:07 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-33017.yaml 2026-06-01 15:34:44 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel

  • Detected by Nuclei