CVE-2026-33017
9.8 CRITICALLangflow is a tool for building and deploying AI-powered agents and workflows
Published: 2026-03-20 · Last updated: 2026-05-21
Severity and scoring
- CVSS
- 9.8 CRITICAL
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-306, CWE-94, CWE-95
Affected products
| Vendor | Product |
|---|---|
| langflow | langflow |
Description
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-33017
- [Other]https://github.com/advisories/GHSA-rvqx-wpfh-mfx7
- [Patch]https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0
- [Vendor advisory]https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx
- [Other]https://github.com/langflow-ai/langflow/releases/tag/1.8.2
- [Exploit reference]https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896
- [Other]https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017
- [Other]https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours
Related CVEs
Same vendor
- CVE-2026-7528 — IBM Langflow OSS 1.0.0 through 1.9.0 could allow a denial of service due to uncontrolled resource consumption (7.1 HIGH)
- CVE-2026-7524 — IBM Langflow OSS 1.0.0 through 1.9.1 could allow remote code execution due to improper validation of symbolic links during archive extrac... (9.8 CRITICAL)
- CVE-2025-34291 — Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution (8.8 HIGH)
Same CWE
- CVE-2026-50223 — Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz allows a low-privileged authenticated user with C...
- CVE-2026-46612 — Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes (8.8 HIGH)
- CVE-2026-20253 — In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthen... (9.8 CRITICAL)
- CVE-2026-45567 — Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers (8.3 HIGH)
- CVE-2026-9045 — During an internal security assessment, a potential vulnerability was discovered in Lenovo Accessories and Display Manager for Enterprise... (7.8 HIGH)