KEVIntel
PRO Back to KEVs
9.3
CVSS
Critical

CVE-2026-33017

PUBLISHED

Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint

1 day faster than CISA KEV

Exploited in the wild PoC available Remote Low complexity No user interaction
Vendor
langflow-ai
Product
langflow
Published
Mar 20, 2026
EPSS
24.7% · 96% pctl

Automate this intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

python cisa nuclei_scanner

Weaknesses (CWE)

  • CWE-306

    Missing Authentication for Critical Function

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')

  • CWE-95

    Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CVSS scores

CVSS v4.0 9.3 Critical

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation status

Exploited in the wild

Recorded 2026-06-01 12:26:07 UTC · CVE

Proof of concept available

Recorded 2026-03-31 02:10:40 UTC · GitHub

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
CVE First 2026-06-01 12:26 UTC
CISA 2026-06-02 14:02 UTC

Scanner integrations

Scanner Reference Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-33017.yaml Jun 01, 2026

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

r3nsi15/CVE-2026-33017-langflow-rce

github · Created 2026-05-22 22:01:05 UTC · 0 stars

EQSTLab/CVE-2026-33017

github · Created 2026-03-31 02:10:40 UTC · 3 stars

Langflow RCE

z4yd3/PoC-CVE-2026-33017

github · Created 2026-03-27 07:15:07 UTC · 3 stars

CVE-2026-33017: Unauthenticated RCE in Langflow

rootdirective-sec/CVE-2026-33017-Lab

github · Created 2026-03-26 04:49:07 UTC · 0 stars

omer-efe-curkus/CVE-2026-33017-Langflow-RCE-PoC

github · Created 2026-03-21 17:06:34 UTC · 1 stars

The vulnerability in Langflow 1.8.1 and earlier allows a remote, unauthenticated attacker to achieve arbitrary command execution on the host.

MaxMnMl/langflow-CVE-2026-33017-poc

github · Created 2026-03-21 08:11:08 UTC · 7 stars

CVE-2026-33017 - An unauthenticated remote code execution in Langflow <= 1.8.1 via Public Flow Build Endpoint

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Proof of Concept Exploit Available

  • Added to KEVIntel

  • Detected by Nuclei

  • KEV confirmed by CISA