CVE-2026-33017

CRITICAL CISA KEV EPSS 99.9%
Published Mar 20, 20263mo ago · Modified Jun 17, 20261w ago
9.3 CVSS 4.0
Critical
Find Similar
Published Mar 20, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago
KEV Listed Mar 25, 2026 3mo ago
KEV Due Apr 8, 2026 83d overdue

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

CVSS Details

Base Score
9.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

CISA Known Exploited Overdue 83d
Added
Mar 25, 2026
Due
Apr 8, 2026

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

EPSS Exploit Probability
99.9% percentile
Exploit & Patch Status
Actively Exploited (KEV)
Patch Available

Weaknesses 3

CWE-306 Missing Authentication for Critical Function Authentication
CWE-94 Improper Control of Generation of Code (Code Injection) Injection
CWE-95

Affected Products 1

VendorProductVersionRange
langflowlangflow* <1.8.2

References 7

  • github.com https://github.com/advisories/GHSA-rvqx-wpfh-mfx7
    Third Party Advisory
  • github.com https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0
    Patch
  • github.com https://github.com/langflow-ai/langflow/releases/tag/1.8.2
    Release Notes
  • github.com https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx
    ExploitMitigationVendor Advisory
  • medium.com https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896
    ExploitThird Party Advisory
  • cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017
    US Government Resource
  • sysdig.com https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours
    Press/Media Coverage

Remediation

  • github.com https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0
    Patch