CVE-2026-33017
Langflow Code Injection Vulnerability - [Actively Exploited]
Description
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
INFO
Published Date :
March 20, 2026, 5:16 a.m.
Last Modified :
March 26, 2026, 1:26 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Unknown
https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx ; https://nvd.nist.gov/vuln/detail/CVE-2026-33017
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 4.0 | CRITICAL | [email protected] |
Solution
- Update Langflow to version 1.9.0 or later.
- Verify authentication on flow building endpoint.
- Remove any unauthorized code execution features.
Public PoC/Exploit Available at Github
CVE-2026-33017 has a 20 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-33017.
| URL | Resource |
|---|---|
| https://github.com/advisories/GHSA-rvqx-wpfh-mfx7 | Third Party Advisory |
| https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0 | Patch |
| https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx | Exploit Mitigation Vendor Advisory |
| https://github.com/langflow-ai/langflow/releases/tag/1.8.2 | Release Notes |
| https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896 | Exploit Third Party Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33017 | US Government Resource |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017 | US Government Resource |
| https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours | Press/Media Coverage |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-33017 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-33017
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Proof-of-concept exploit for CVE-2025-55182 (React2Shell)
Python
CVE-2026-33017 | Langflow Unauthenticated RCE (CVSS 9.8) | Blind exec, OOB exfil (GET/POST), reverse shell, auto-promote, bulk scanner
Python
Proof-of-concept exploit for CVE-2026-33017 (Langflow <= 1.8.1).
Python
A curated timeline of real AI agent security incidents, breaches, and vulnerabilities (2024-2026). Every entry sourced and dated.
ai-agent-security ai-agents ai-security awesome-list cybersecurity llm-security mcp-security prompt-injection supply-chain-security
Security audit documenting 221 silent int64-to-int32 truncation sites in vLLM's CUDA/C++ extensions that enable GPU buffer overflow via crafted GGUF model files.
None
Python Shell
CVE-2026-33017: Unauthenticated RCE in Langflow
Python
Agentic AI in action
HTML Svelte TypeScript JavaScript
None
Python Dockerfile
Resonant RCE for CVE-2026-33017 via CTT Phase-Lock. Exploits Langflow build_public_tmp flow_id endpoint. Bypasses auth using 34th-layer negative refraction to inject Python exec() payloads. Calibrated for 16.6fs jitter resonance and g-coupling g \approx 0.733. O(log N) collapse of AI supply chain security.
Python
The vulnerability in Langflow 1.8.1 and earlier allows a remote, unauthenticated attacker to achieve arbitrary command execution on the host.
langflow proof-of-concept
Python
CVE-2026-33017 - An unauthenticated remote code execution in Langflow <= 1.8.1 via Public Flow Build Endpoint
Python
Intentionally RCE vulnerable Langflow test environment
Dockerfile HTML JavaScript Python Shell
Cathedral-Grade Security for AI Agents. 23/23 attack vectors caught. Local-first, zero API cost. MIT licensed.
Python
CVE POC repo 자동 수집기
Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-33017 vulnerability anywhere in the article.
-
Daily CyberSecurity
High-Severity Patches: NVIDIA Secures DALI and Triton Inference Server
NVIDIA has released two significant security updates addressing high-severity vulnerabilities across its DALI and Triton Inference Server software. The patches fix critical flaws that could lead to ar ... Read more
-
europa.eu
Cyber Brief 26-04 - March 2026
Cyber Brief (March 2026)April 1, 2026 – Version: 1TLP:CLEARExecutive summaryWe analysed 343 open source reports for this Cyber Brief1.Relating to cyber policy and law enforcement, the Council of the E ... Read more
-
Help Net Security
Critical Fortinet FortiClient EMS bug under active attack (CVE-2026-21643)
A critical SQL injection vulnerability (CVE-2026-21643) in Fortinet FortiClient Endpoint Management Server (EMS), a management server for FortiClient endpoint agents on various platforms, is under act ... Read more
-
Daily CyberSecurity
The CVE Watchtower: Weekly Threat Intelligence Briefing (March 23 – March 29, 2026)
Whether you are steering the organizational ship as a CISO or maintaining the operational engines as a system administrator, cutting through the noise of weekly vulnerabilities is essential to keeping ... Read more
-
Help Net Security
Week in review: NIST updates DNS security guidance, compromised LiteLLM PyPI packages
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: NIST updates its DNS security guidance for the first time in over a decade DNS infrastructure underpin ... Read more
-
Help Net Security
Attackers are exploiting RCE vulnerability in BIG-IP APM systems (CVE-2025-53521)
A critical unauthenticated remote code execution vulnerability (CVE-2025-53521) in F5’s BIG-IP Access Policy Manager (APM) solution is under active exploitation, the US Cybersecurity and Infrastructur ... Read more
-
TheCyberThrone
CISA adds Langflow and Trivy bugs to KEV Catalog
Langflow Code Injection Flaw Actively Exploited — CVE-2026-33017CISA has added a critical code injection vulnerability in Langflow to its Known Exploited Vulnerabilities catalog, confirming active exp ... Read more
-
CybersecurityNews
CISA Warns of Langflow Code Injection Vulnerability Exploited in Attacks
The Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical security flaw affecting the Langflow platform to its Known Exploited Vulnerabilities (KEV) catalog on March ... Read more
-
The Hacker News
⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More
Another week, another reminder that the internet is still a mess. Systems people thought were secure are being broken in simple ways, showing many still ignore basic advisories. This edition covers a ... Read more
-
Daily CyberSecurity
Below the EDR: How Unsecured IP-KVM Switches Grant Total System Takeover
Image credit: https://jetkvm.com/products/jetkvm Security researchers Reynaldo Vasquez Garcia and Paul Asadoorian from Eclypsium have issued a warning regarding a category of hardware often overlooked ... Read more
-
The Hacker News
Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure
A critical security flaw impacting Langflow has come under active exploitation within 20 hours of public disclosure, highlighting the speed at which threat actors weaponize newly published vulnerabili ... Read more
The following table lists the changes that have been made to the
CVE-2026-33017 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
Mar. 26, 2026
Action Type Old Value New Value Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017 Types: US Government Resource -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Mar. 25, 2026
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017 -
Modified Analysis by [email protected]
Mar. 25, 2026
Action Type Old Value New Value Changed CPE Configuration OR *cpe:2.3:a:langflow:langflow:1.9.0:dev0:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:1.9.0:dev1:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:1.9.0:dev10:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:1.9.0:dev11:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:1.9.0:dev2:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:1.9.0:dev3:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:1.9.0:dev4:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:1.9.0:dev5:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:1.9.0:dev6:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:1.9.0:dev7:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:1.9.0:dev8:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:1.9.0:dev9:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:* versions up to (including) 1.8.2 OR *cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:* versions up to (excluding) 1.8.2 Changed Reference Type GitHub, Inc.: https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx Types: Exploit, Vendor Advisory GitHub, Inc.: https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx Types: Exploit, Mitigation, Vendor Advisory Added Reference Type CISA-ADP: https://github.com/langflow-ai/langflow/releases/tag/1.8.2 Types: Release Notes Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33017 Types: US Government Resource -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Mar. 25, 2026
Action Type Old Value New Value Added Reference https://github.com/langflow-ai/langflow/releases/tag/1.8.2 -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Mar. 25, 2026
Action Type Old Value New Value Added Date Added 2026-03-25 Added Due Date 2026-04-08 Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Added Vulnerability Name Langflow Code Injection Vulnerability -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Mar. 25, 2026
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33017 -
Initial Analysis by [email protected]
Mar. 24, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CPE Configuration OR *cpe:2.3:a:langflow:langflow:1.9.0:dev0:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:1.9.0:dev1:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:1.9.0:dev10:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:1.9.0:dev11:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:1.9.0:dev2:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:1.9.0:dev3:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:1.9.0:dev4:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:1.9.0:dev5:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:1.9.0:dev6:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:1.9.0:dev7:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:1.9.0:dev8:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:1.9.0:dev9:*:*:*:*:*:* *cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:* versions up to (including) 1.8.2 Added Reference Type GitHub, Inc.: https://github.com/advisories/GHSA-rvqx-wpfh-mfx7 Types: Third Party Advisory Added Reference Type GitHub, Inc.: https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0 Types: Patch Added Reference Type GitHub, Inc.: https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx Types: Exploit, Vendor Advisory Added Reference Type CISA-ADP: https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896 Types: Exploit, Third Party Advisory Added Reference Type CISA-ADP: https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours Types: Press/Media Coverage -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Mar. 23, 2026
Action Type Old Value New Value Added Reference https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Mar. 20, 2026
Action Type Old Value New Value Added Reference https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours -
New CVE Received by [email protected]
Mar. 20, 2026
Action Type Old Value New Value Added Description Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0. Added CVSS V4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Added CWE CWE-94 Added CWE CWE-306 Added CWE CWE-95 Added Reference https://github.com/advisories/GHSA-rvqx-wpfh-mfx7 Added Reference https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0 Added Reference https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx