cbcvebase.
CVE-2026-33017
published 2026-03-20

CVE-2026-33017: Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-04-08
Exploited in the wild
EPSS
98.41%
99.9th percentile
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
langflowlangflow< 1.8.21.8.2
langflowlangflow0 – 1.8.2

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /api/v1/build_public_tmp/{flow_id}/flow
ip173.212.205.251
port8443
path.env
  • Monitor for unauthenticated HTTP POST requests to the /api/v1/build_public_tmp/{flow_id}/flow endpoint, especially those supplying a 'data' parameter containing Python code in node definitions.
  • Detect post-exploitation credential harvesting: monitor for processes reading environment variables, enumerating configuration files and databases, and accessing .env files on Langflow hosts.
  • Alert on outbound connections from Langflow server processes to unusual callback services, particularly on non-standard ports such as 8443, as this indicates payload staging/delivery.
  • Exploitation timeline: automated scanning begins ~20 hours post-advisory, Python-script-based exploitation at ~21 hours, and data exfiltration (.env/.db) at ~24 hours — tune detection for rapid post-disclosure scanning of the vulnerable endpoint.
  • Attackers used custom Python scripts to extract /etc/passwd and deliver a next-stage payload; monitor for Langflow child processes spawning Python interpreters or shell commands.
  • ·The vulnerable endpoint /api/v1/build_public_tmp/{flow_id}/flow is intentionally unauthenticated to support public flows; simply adding authentication would break the public flows feature. The fix in 1.9.0 removes the 'data' parameter from the public endpoint so it only executes server-side stored flow data.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.8CRITICAL
osv9.8CRITICAL
vulncheck9.3CRITICAL
cisa9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.