CVE-2026-33017
Published Mar 20, 2026
Last updated 2 months ago
AI description
CVE-2026-33017 is an unauthenticated remote code execution (RCE) vulnerability found in Langflow, an open-source tool for building and deploying AI-powered agents and workflows. This flaw specifically impacts the `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint in Langflow versions prior to 1.9.0. While this endpoint is intended to allow unauthenticated users to build public flows, it improperly accepts an optional `data` parameter. When an attacker supplies this `data` parameter, it can contain arbitrary Python code embedded within node definitions. This malicious code is then executed by Python's `exec()` function without any sandboxing, input validation, or code sanitization, leading to the remote execution of arbitrary code on the vulnerable system. This vulnerability is distinct from a previous similar issue, CVE-2025-3248, which was addressed by adding authentication to a different endpoint but did not fully resolve the underlying unsafe execution design.
- Description
- Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- langflow
CVSS 4.0
- Type
- Secondary
- Base score
- 9.3
- Impact score
- -
- Exploitability score
- -
- Vector string
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Severity
- CRITICAL
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
Data from CISA
- Vulnerability name
- Langflow Code Injection Vulnerability
- Exploit added on
- Mar 25, 2026
- Exploit action due
- Apr 8, 2026
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- security-advisories@github.com
- CWE-94
Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.
- Hype score
1
The miner behind CVE-2026-33017 Langflow exploitation dropped from 31 out of 66 to 4 out of 66 on VirusTotal between 2024 and 2026. Smaller binary, shuffled strings, actively maintained. Not a recycled payload. See our full research: https://t.co/Ed9gIanQiY
@trendai_RSRCH
10 Jul 2026
453 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws - https://t.co/rnuxt9VXQm (CVE-2026-48282, CVE-2026-55255, CVE-2026-33017)
@SecurityWeek
8 Jul 2026
1970 Impressions
2 Retweets
11 Likes
2 Bookmarks
0 Replies
0 Quotes
The miner behind CVE-2026-33017 Langflow exploitation dropped from 31 out of 66 to 4 out of 66 on VirusTotal between 2024 and 2026. Smaller binary, shuffled strings, actively maintained. Not a recycled payload. See our full research: https://t.co/Ed9gIanQiY
@trendai_RSRCH
5 Jul 2026
493 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
The miner behind CVE-2026-33017 Langflow exploitation dropped from 31 out of 66 to 4 out of 66 on VirusTotal between 2024 and 2026. Smaller binary, shuffled strings, actively maintained. Not a recycled payload. See our full research: https://t.co/Ed9gIanQiY
@trendai_RSRCH
1 Jul 2026
414 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Langflowの認証不要RCE脆弱性CVE-2026-33017を悪用してクリプトマイナーを展開するキャンペーンが観測されています。Langflowは2025年6月のCVE-2025-3248(Flodrixボットネットが悪用)に続き、1年で2度目の同種のRCEが突か
@MalwareBibleJP
30 Jun 2026
1220 Impressions
0 Retweets
7 Likes
2 Bookmarks
0 Replies
0 Quotes
First wild exploitation of Langflow CVE-2026-55255 (CVSS 9.9 IDOR) observed June 25, 2026, alongside the already-KEV-listed CVE-2026-33017 (CVSS 9.3 RCE), exposing why higher scores do not equal higher exploitation rates. Key findings: - A single operator at 45.207.216[.]55 ran
@DFIR_Radar
27 Jun 2026
231 Impressions
0 Retweets
1 Like
0 Bookmarks
2 Replies
0 Quotes
#threatreport #HighCompleteness From Langflow to Monero: Inside CVE-2026-33017 Cryptominer | 23-06-2026 Source: https://t.co/TUYjUrLF0H Key details below ↓ 🧑💻Actors/Campaigns: Teamtnt Autom 💀Threats: Ssh_worm, Xmrig_miner, Flodrix_botnet, Kinsing_miner, https://t.
@rst_cloud
25 Jun 2026
115 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CRITICAL: IBM Langflow — CVSS 10.0 Unauthenticated RCE CVE-2026-10561 (CVSS 10.0) + CVE-2026-33017 (CVSS 9.3/10.0) Attacker sends one HTTP request → Python exec() → full system takeover. 🔗 https://t.co/88M3Pze1AT #CyberSecurity #ThreatIntel #infosec #AIsecurity
@ThreatAft
23 Jun 2026
85 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
openai dropped CVE-2026-33017. unauth RCE, CVSS high, exploit available. if you have openai in your stack, block external access to the affected endpoint until patched. #OpenAI #RCE #GitHub #CVE-2026-33017 https://t.co/BIbf7f8WjV
@trerbbb
18 May 2026
93 Impressions
2 Retweets
2 Likes
0 Bookmarks
0 Replies
0 Quotes
Langflow CVE-2026-33017 Exploited to Steal AWS Keys, Deploy NATS Worker https://t.co/6k29gf4M4k
@PVynckier
17 May 2026
128 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
breaking: microsoft's copilot faces 2025's echoleak (cve-32711), a critical zero-click vuln. servicenow virtual agent is hit by bodysnatcher (cve-2025-12420). langflow's cve-2026-33017 is critical. your ai agents are high-value targets. audit and patch your systems now. https://t
@The_Agent_Econ
29 Mar 2026
130 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Langflow just got its second CISA KEV in two years. CVE-2026-33017. Same exec() architecture as CVE-2025-3248. Attackers went from advisory to credential harvesting in 24 hours - no PoC required. This is not a patch problem. It is an architecture problem that was never fixed.
@jlabernathy
28 Mar 2026
121 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
I found CVE-2026-33017, a Critical 9.3 unauthenticated RCE in Langflow, by looking at the code path the previous CISA KEV fix (CVE-2025-3248) missed. - https://t.co/gFBy4aiRQe #aisecurity #langflowvulnerability
@hackernoon
26 Mar 2026
338 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B38E7511-B77D-4E5F-B33A-458EE5770358",
"versionEndExcluding": "1.8.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]