CVE-2026-33017

Published Mar 20, 2026

Last updated 2 months ago

Exploit knownCVSS critical 9.3
Ubuntu
API
Tunneling protocol

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-33017 is an unauthenticated remote code execution (RCE) vulnerability found in Langflow, an open-source tool for building and deploying AI-powered agents and workflows. This flaw specifically impacts the `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint in Langflow versions prior to 1.9.0. While this endpoint is intended to allow unauthenticated users to build public flows, it improperly accepts an optional `data` parameter. When an attacker supplies this `data` parameter, it can contain arbitrary Python code embedded within node definitions. This malicious code is then executed by Python's `exec()` function without any sandboxing, input validation, or code sanitization, leading to the remote execution of arbitrary code on the vulnerable system. This vulnerability is distinct from a previous similar issue, CVE-2025-3248, which was addressed by adding authentication to a different endpoint but did not fully resolve the underlying unsafe execution design.

Description
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
Source
security-advisories@github.com
NVD status
Analyzed
Products
langflow

Risk scores

CVSS 4.0

Type
Secondary
Base score
9.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
CRITICAL

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Known exploits

Data from CISA

Vulnerability name
Langflow Code Injection Vulnerability
Exploit added on
Mar 25, 2026
Exploit action due
Apr 8, 2026
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

security-advisories@github.com
CWE-94

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

1

  1. The miner behind CVE-2026-33017 Langflow exploitation dropped from 31 out of 66 to 4 out of 66 on VirusTotal between 2024 and 2026. Smaller binary, shuffled strings, actively maintained. Not a recycled payload. See our full research: https://t.co/Ed9gIanQiY

    @trendai_RSRCH

    10 Jul 2026

    453 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws - https://t.co/rnuxt9VXQm (CVE-2026-48282, CVE-2026-55255, CVE-2026-33017)

    @SecurityWeek

    8 Jul 2026

    1970 Impressions

    2 Retweets

    11 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  3. The miner behind CVE-2026-33017 Langflow exploitation dropped from 31 out of 66 to 4 out of 66 on VirusTotal between 2024 and 2026. Smaller binary, shuffled strings, actively maintained. Not a recycled payload. See our full research: https://t.co/Ed9gIanQiY

    @trendai_RSRCH

    5 Jul 2026

    493 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. The miner behind CVE-2026-33017 Langflow exploitation dropped from 31 out of 66 to 4 out of 66 on VirusTotal between 2024 and 2026. Smaller binary, shuffled strings, actively maintained. Not a recycled payload. See our full research: https://t.co/Ed9gIanQiY

    @trendai_RSRCH

    1 Jul 2026

    414 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Langflowの認証不要RCE脆弱性CVE-2026-33017を悪用してクリプトマイナーを展開するキャンペーンが観測されています。Langflowは2025年6月のCVE-2025-3248(Flodrixボットネットが悪用)に続き、1年で2度目の同種のRCEが突か

    @MalwareBibleJP

    30 Jun 2026

    1220 Impressions

    0 Retweets

    7 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  6. First wild exploitation of Langflow CVE-2026-55255 (CVSS 9.9 IDOR) observed June 25, 2026, alongside the already-KEV-listed CVE-2026-33017 (CVSS 9.3 RCE), exposing why higher scores do not equal higher exploitation rates. Key findings: - A single operator at 45.207.216[.]55 ran

    @DFIR_Radar

    27 Jun 2026

    231 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    2 Replies

    0 Quotes

  7. #threatreport #HighCompleteness From Langflow to Monero: Inside CVE-2026-33017 Cryptominer | 23-06-2026 Source: https://t.co/TUYjUrLF0H Key details below ↓ 🧑‍💻Actors/Campaigns: Teamtnt Autom 💀Threats: Ssh_worm, Xmrig_miner, Flodrix_botnet, Kinsing_miner, https://t.

    @rst_cloud

    25 Jun 2026

    115 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. 🚨 CRITICAL: IBM Langflow — CVSS 10.0 Unauthenticated RCE CVE-2026-10561 (CVSS 10.0) + CVE-2026-33017 (CVSS 9.3/10.0) Attacker sends one HTTP request → Python exec() → full system takeover. 🔗 https://t.co/88M3Pze1AT #CyberSecurity #ThreatIntel #infosec #AIsecurity

    @ThreatAft

    23 Jun 2026

    85 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. openai dropped CVE-2026-33017. unauth RCE, CVSS high, exploit available. if you have openai in your stack, block external access to the affected endpoint until patched. #OpenAI #RCE #GitHub #CVE-2026-33017 https://t.co/BIbf7f8WjV

    @trerbbb

    18 May 2026

    93 Impressions

    2 Retweets

    2 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. Langflow CVE-2026-33017 Exploited to Steal AWS Keys, Deploy NATS Worker https://t.co/6k29gf4M4k

    @PVynckier

    17 May 2026

    128 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  11. breaking: microsoft's copilot faces 2025's echoleak (cve-32711), a critical zero-click vuln. servicenow virtual agent is hit by bodysnatcher (cve-2025-12420). langflow's cve-2026-33017 is critical. your ai agents are high-value targets. audit and patch your systems now. https://t

    @The_Agent_Econ

    29 Mar 2026

    130 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. Langflow just got its second CISA KEV in two years. CVE-2026-33017. Same exec() architecture as CVE-2025-3248. Attackers went from advisory to credential harvesting in 24 hours - no PoC required. This is not a patch problem. It is an architecture problem that was never fixed.

    @jlabernathy

    28 Mar 2026

    121 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. I found CVE-2026-33017, a Critical 9.3 unauthenticated RCE in Langflow, by looking at the code path the previous CISA KEV fix (CVE-2025-3248) missed. - https://t.co/gFBy4aiRQe #aisecurity #langflowvulnerability

    @hackernoon

    26 Mar 2026

    338 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations