CVE-2026-33017
published 2026-03-20CVE-2026-33017: Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-04-08
Exploited in the wild
EPSS
98.41%
99.9th percentile
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| langflow | langflow | < 1.8.2 | 1.8.2 |
| langflow | langflow | 0 – 1.8.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated HTTP POST requests to the /api/v1/build_public_tmp/{flow_id}/flow endpoint, especially those supplying a 'data' parameter containing Python code in node definitions. ↗
- →Detect post-exploitation credential harvesting: monitor for processes reading environment variables, enumerating configuration files and databases, and accessing .env files on Langflow hosts. ↗
- →Alert on outbound connections from Langflow server processes to unusual callback services, particularly on non-standard ports such as 8443, as this indicates payload staging/delivery. ↗
- →Exploitation timeline: automated scanning begins ~20 hours post-advisory, Python-script-based exploitation at ~21 hours, and data exfiltration (.env/.db) at ~24 hours — tune detection for rapid post-disclosure scanning of the vulnerable endpoint. ↗
- →Attackers used custom Python scripts to extract /etc/passwd and deliver a next-stage payload; monitor for Langflow child processes spawning Python interpreters or shell commands. ↗
- ·The vulnerable endpoint /api/v1/build_public_tmp/{flow_id}/flow is intentionally unauthenticated to support public flows; simply adding authentication would break the public flows feature. The fix in 1.9.0 removes the 'data' parameter from the public endpoint so it only executes server-side stored flow data. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
osv·2026-03-17·CVSS 9.8
CVE-2026-33017 [CRITICAL] Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
## Summary
The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows without requiring authentication. When the optional `data` parameter is supplied, the endpoint uses **attacker-controlled flow data** (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to `exec()` with zero sandboxing, resulting in unauthenticated remote code execution.
This is distinct from CVE-2025-3248, which fixed `/api/v1/validate/code` by adding authentication. The `build_public_tmp` endpoint is **designed** to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executabl
GHSA
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
ghsa·2026-03-17·CVSS 9.8
CVE-2026-33017 [CRITICAL] CWE-306 Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
## Summary
The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows without requiring authentication. When the optional `data` parameter is supplied, the endpoint uses **attacker-controlled flow data** (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to `exec()` with zero sandboxing, resulting in unauthenticated remote code execution.
This is distinct from CVE-2025-3248, which fixed `/api/v1/validate/code` by adding authentication. The `build_public_tmp` endpoint is **designed** to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executabl
VulnCheck
Langflow Code Injection Vulnerability
vulncheck·2026·CVSS 9.3
CVE-2026-33017 [CRITICAL] CWE-94 Langflow Code Injection Vulnerability
Langflow Code Injection Vulnerability
Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication.
Affected: Langflow Langflow
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours; https://www.acn.gov.it/portale/w/langflow-rilevata-0-day-per-la-cve-2026-33017; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://webflow.sysdig.com/blog/marimo-oss-python-notebook-rce-from-disclosure-to-exploitation-in-under-10-hours
Exploit PoC: http
CISA
Langflow Code Injection Vulnerability
cisa·2026-03-25·CVSS 9.3
CVE-2026-33017 [CRITICAL] CWE-94 Langflow Code Injection Vulnerability
Vulnerability: Langflow Code Injection Vulnerability
Affected: Langflow Langflow
Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx ; https://nvd.nist.gov/vuln/detail/CVE-2026-33017
Remediation Due Date: 2026-04-08
No detection rules found.
Nuclei
Langflow < 1.9.0 - Remote Code Execution
nuclei·CVSS 9.3
CVE-2026-33017 [CRITICAL] Langflow < 1.9.0 - Remote Code Execution
Langflow < 1.9.0 - Remote Code Execution
Langflow versions prior to 1.9.0 are vulnerable to unauthenticated remote code execution (RCE) via the build_public_tmp endpoint. Attackers can submit a manipulated flow JSON containing Python code that is executed during the build process without proper sandboxing.
Template:
id: CVE-2026-33017
info:
name: Langflow < 1.9.0 - Remote Code Execution
author: himind
severity: critical
description: |
Langflow versions prior to 1.9.0 are vulnerable to unauthenticated remote code execution (RCE) via the build_public_tmp endpoint. Attackers can submit a manipulated flow JSON containing Python code that is executed during the build process without proper sandboxing.
impact: |
Remote attackers can execute arbitrary Python code without authentication, leadi
Hackernews
Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints
blogs_hackernews·2026-06-30·CVSS 9.8
CVE-2026-33017 [CRITICAL] Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints
Threat actors are continuing to exploit a critical Langflow vulnerability as part of fresh attacks designed to deliver a Monero cryptocurrency miner.
The activity has been found to weaponize CVE-2026-33017 (CVSS score: 9.3), an unauthenticated remote code execution (RCE) vulnerability in Langflow, indicating threat actors are scanning and targeting exposed artificial intelligence (AI) application endpoints for obtaining initial access to enterprise networks. The attack was observed over a 19-day window between March 27 and April 15, 2026.
"In this cam
Checkpoint
29th June – Threat Intelligence Report
blogs_checkpoint·2026-06-29
CVE-2026-20245 29th June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 29th June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 29th June, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Polymarket, a large cryptocurrency-based prediction market, has confirmed a supply chain attack after a third-party frontend vendor breach led to malicious JavaScript being injected into its website. Attackers tricked users into approving fraudulent transactions, stealing about $3 million from fewer than 15 accounts, while the b
Hackernews
Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE
blogs_hackernews·2026-06-10·CVSS 8.8
CVE-2026-5027 [HIGH] Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE
A high-severity unpatched security flaw in Langflow, an open-source low-code platform to build artificial intelligence (AI) applications, has come under active exploitation in the wild, according to findings from VulnCheck.
The vulnerability in question is CVE-2026-5027 (CVSS score: 8.8), a case of path traversal that could allow an attacker to write files to arbitrary locations.
"The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the fi
Bleepingcomputer
Path traversal flaw in AI dev platform Langflow exploited in attacks
blogs_bleepingcomputer·2026-06-10·CVSS 9.8
CVE-2026-5027 [CRITICAL] Path traversal flaw in AI dev platform Langflow exploited in attacks
## Path traversal flaw in AI dev platform Langflow exploited in attacks
## Bill Toulas
CVE-2026-5027 is a high-severity path traversal flaw in Langflow's file upload functionality that fails to properly sanitize user-supplied filenames.
"The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../')," explains Tenable , which discovered the flaw at the start of the year.
Tenable publicly disclosed the issue on March 27, 2026, more than two months after initially reporting it to the Langflow team without receiving a response.
Although Tenable did not mention a fix in its advisory, Snyk Security reported on March 30, 2026, that t
Hackernews
ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories
blogs_hackernews·2026-05-14·CVSS 9.3
CVE-2026-0300 [CRITICAL] ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories
Everything is still on fire.
This week feels dumb in the worst way — bad links, weak checks, fake help desks, shady forum posts, and people turning supply chain attacks into some cursed little game for clout and cash. Half of it feels new. Half of it feels like crap we should have fixed years ago.
The mess keeps getting louder: users get tricked, boxes get popped, tools meant for normal work get used for bad stuff, and nobody seems shocked anymore. Great. Love that for us.
Anyway. Let’s get into it.
Palo Alto Networks has released the
Hackernews
LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks
blogs_hackernews·2026-03-27·CVSS 7.3
[HIGH] LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## LangChain, LangGraph Flaws Expose Files, Secrets, Databases in Widely Used AI Frameworks
Cybersecurity researchers have disclosed three security vulnerabilities impacting LangChain and LangGraph that, if successfully exploited, could expose filesystem data, environment secrets, and conversation history.
Both LangChain and LangGraph are open-source frameworks that are used to build applications powered by Large Language Models (LLMs). LangGraph is built on the foundations of LangChain for more sophisticated and non-linear agentic workflows. According to statistics on the Python Package Index (PyPI), LangChain, LangChain-Core,
Bleepingcomputer
CISA: New Langflow flaw actively exploited to hijack AI workflows
blogs_bleepingcomputer·2026-03-26·CVSS 9.8
CVE-2026-33017 [CRITICAL] CISA: New Langflow flaw actively exploited to hijack AI workflows
## CISA: New Langflow flaw actively exploited to hijack AI workflows
## Bill Toulas
Researchers at application security company Sysdig claim that hackers started exploiting CVE-2026-33017 on March 19, about 20 hours after the vulnerability advisory became public.
No public proof-of-concept (PoC) exploit code existed at the time, and Endor Labs believes that attackers built exploits directly from the information included in the advisory.
Automated scanning activity began in 20 hours, followed by exploitation using Python scripts in 21 hours, and data (.env and .db files) harvesting in 24 hours.
Langflow is a popular open-source visual framework for building AI workflows with 145,000 stars on GitHub . It provides a drag-and-drop interface for connecting nodes into executable pipelines,
Hackernews
⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More
blogs_hackernews·2026-03-23
⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More
Another week, another reminder that the internet is still a mess. Systems people thought were secure are being broken in simple ways, showing many still ignore basic advisories.
This edition covers a mix of issues: supply chain attacks hitting CI/CD setups, long-abused IoT devices being shut down, and exploits moving quickly from disclosure to real attacks. There are also new malware tricks showing attackers are becoming more patient and creative.
It’s a mix of old problems that never go away and new methods that are harder to detect. Th
Checkpoint
23rd March – Threat Intelligence Report
blogs_checkpoint·2026-03-23
CVE-2026-33017 23rd March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 23rd March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 23rd March, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Navia Benefit Solutions, a United States-based employee benefits administrator, has disclosed a breach affecting more than 2.6 million individuals after unauthorized access and potential data exfiltration occurred between December 22, 2025 and January 15, 2026. Exposed information may include personal, health, and benefits dat
Hackernews
Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure
blogs_hackernews·2026-03-20·CVSS 9.8
CVE-2026-33017 [CRITICAL] Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure
A critical security flaw impacting Langflow has come under active exploitation within 20 hours of public disclosure, highlighting the speed at which threat actors weaponize newly published vulnerabilities.
The security defect, tracked as CVE-2026-33017 (CVSS score: 9.3), is a case of missing authentication combined with code injection that could result in remote code execution.
"The POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication," according to Langflow's advisory for the f
Wiz
Die CVE-Datenbank: Kuratierte Vulnerability Intelligence von Wiz | Wiz
blogs_wiz·CVSS 9.8
[CRITICAL] Die CVE-Datenbank: Kuratierte Vulnerability Intelligence von Wiz | Wiz
## Datenbank für Wiz-Schwachstellen
Eine umfassende Ressource für die Überwachung hochkarätiger Schwachstellen in Cloud-Umgebungen, die auf Sicherheitsteams und Cloud-Experten zugeschnitten ist
Sehen Sie, wie Wiz ausnutzbare Schwachstellen in Cloud-Workloads erkennt. Schau dir die 12-minütige Demo an
## Nach Technologie erkunden
## Beliebte Filter
## Hohes Profil
CVE-Kennung
Strenge
Punktzahl
Technologieen
Name der Komponente
CISA KEV-Exploit
Hat fix
Veröffentlichungsdatum
CVE-2026-35616
CRITICAL
9.8
FortiClient EMS
cpe:2.3:a:fortinet:forticlient_enterprise_management_server
Ja
Ja
Apr 04, 2026
GHSA-69fq-xp46-6x23
CRITICAL
9.4
N/A
github.com/aquasecurity/trivy
Nein
Ja
Mar 24, 2026
CVE-2026-3055
CRITICAL
9.3
Citrix ADC VPX
cpe:2.3:a:citrix:netscaler_app
Wiz
Il database CVE: Intelligence sulle vulnerabilità curata da Wiz | Wiz
blogs_wiz·CVSS 9.8
[CRITICAL] Il database CVE: Intelligence sulle vulnerabilità curata da Wiz | Wiz
## Database delle vulnerabilità Wiz
Una risorsa completa per il monitoraggio delle vulnerabilità di alto profilo negli ambienti cloud, su misura per i team di sicurezza e i professionisti del cloud
Scopri come Wiz rileva vulnerabilità sfruttabili tra carichi di lavoro cloud. Guarda la demo di 12 minuti
## Esplora per tecnologia
## Filtri popolari
## Alto profilo
CVE ID
Severità
Punteggio
Tecnologie
Nome del componente
Exploit CISA KEV
Ha la correzione
Data di pubblicazione
CVE-2026-35616
CRITICAL
9.8
FortiClient EMS
cpe:2.3:a:fortinet:forticlient_enterprise_management_server
Sì
Sì
Apr 04, 2026
GHSA-69fq-xp46-6x23
CRITICAL
9.4
N/A
github.com/aquasecurity/trivy
No
Sì
Mar 24, 2026
CVE-2026-3055
CRITICAL
9.3
Citrix ADC VPX
cpe:2.3:a:citrix:netscaler_appli
Wiz
La base de datos CVE: inteligencia de vulnerabilidades seleccionada por Wiz | Wiz
blogs_wiz·CVSS 9.8
[CRITICAL] La base de datos CVE: inteligencia de vulnerabilidades seleccionada por Wiz | Wiz
## Base de datos de vulnerabilidades de Wiz
Un recurso integral para monitorear vulnerabilidades de alto perfil en entornos de nube, diseñado para equipos de seguridad y profesionales de la nube
Observa cómo Wiz detecta vulnerabilidades explotables a través de cargas de trabajo en la nube. Ver demo de 12 minutos
## Explorar por tecnología
## Filtros populares
## Alto perfil
CVE ID
Severidad
Puntuación
Tecnologías
Nombre del componente
Exploit de CISA KEV
Tiene arreglo
Fecha de publicación
CVE-2026-35616
CRITICAL
9.8
FortiClient EMS
cpe:2.3:a:fortinet:forticlient_enterprise_management_server
Sí
Sí
Apr 04, 2026
GHSA-69fq-xp46-6x23
CRITICAL
9.4
N/A
github.com/aquasecurity/trivy
No
Sí
Mar 24, 2026
CVE-2026-3055
CRITICAL
9.3
Citrix ADC VPX
cpe:2.3:a:citrix:nets
Wiz
The CVE Database: Curated Vulnerability Intelligence by Wiz | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-35616 [CRITICAL] The CVE Database: Curated Vulnerability Intelligence by Wiz | Wiz
## Wiz Vulnerability Database
A comprehensive resource for monitoring high-profile vulnerabilities in cloud environments, tailored for security teams and cloud professionals
See how Wiz detects exploitable vulnerabilities across cloud workloads. Watch 12-min demo
## Explore by technology
## Popular filters
## High Profile
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-35616
CRITICAL
9.8
FortiClient EMS
cpe:2.3:a:fortinet:forticlient_enterprise_management_server
Yes
Yes
Apr 04, 2026
GHSA-69fq-xp46-6x23
CRITICAL
9.4
N/A
github.com/aquasecurity/trivy
No
Yes
Mar 24, 2026
CVE-2026-3055
CRITICAL
9.3
Citrix ADC VPX
cpe:2.3:a:citrix:netscaler_application_delivery_controller
Yes
Yes
Mar 23, 2026
CVE-2026-
Wiz
La base de données CVE : des informations sur les vulnérabilités sélectionnées par Wiz | Wiz
blogs_wiz·CVSS 9.8
[CRITICAL] La base de données CVE : des informations sur les vulnérabilités sélectionnées par Wiz | Wiz
## Base de données de vulnérabilités Wiz
Une ressource complète pour la surveillance des vulnérabilités de premier plan dans les environnements cloud, conçue pour les équipes de sécurité et les professionnels du cloud
Voyez comment Wiz détecte les vulnérabilités exploitables à travers des charges de travail cloud. Regardez la démo de 12 minutes
## Explorer par technologie
## Filtres populaires
## Profil élevé
Identifiant CVE
Sévérité
Score
Technologies
Nom du composant
Exploit CISA KEV
A corrigé
Date de publication
CVE-2026-35616
CRITICAL
9.8
FortiClient EMS
cpe:2.3:a:fortinet:forticlient_enterprise_management_server
Oui
Oui
Apr 04, 2026
GHSA-69fq-xp46-6x23
CRITICAL
9.4
N/A
github.com/aquasecurity/trivy
Non
Oui
Mar 24, 2026
CVE-2026-3055
CRITICAL
9.3
C
Wiz
CVE-2026-33017 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-33017 [CRITICAL] CVE-2026-33017 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33017 :
Homebrew vulnerability analysis and mitigation
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly acc
https://github.com/advisories/GHSA-rvqx-wpfh-mfx7https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvxhttps://github.com/langflow-ai/langflow/releases/tag/1.8.2https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours
2026-03-20
Published
2026-03-25
Added to CISA KEV
Exploited in the wild