CVE-2026-33017 Overview
CVE-2026-33017 is a critical unauthenticated remote code execution (RCE) vulnerability in Langflow, a popular open-source tool for building and deploying AI-powered agents and workflows. The vulnerability exists in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, which allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint incorrectly accepts attacker-controlled flow data containing arbitrary Python code in node definitions instead of using the stored flow data from the database. This malicious code is then passed directly to Python's exec() function with zero sandboxing, resulting in complete system compromise.
Critical Impact
This vulnerability allows unauthenticated attackers to execute arbitrary code on vulnerable Langflow instances via network access. CISA has added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild.
Affected Products
- Langflow versions prior to 1.9.0
- Self-hosted Langflow deployments with public flow functionality enabled
- Cloud-based Langflow instances accessible from the network
Discovery Timeline
- 2026-03-20 - CVE-2026-33017 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33017
Vulnerability Analysis
This vulnerability represents a critical code injection flaw (CWE-94) in Langflow's public flow building functionality. The build_public_tmp endpoint was designed to allow unauthenticated access for building public flows, which is intended behavior. However, the endpoint also accepted an optional data parameter that allowed users to supply their own flow data. When this parameter was provided, the endpoint would use the attacker-controlled flow data instead of the legitimate flow data stored in the database.
The flow data can contain arbitrary Python code within node definitions. When processed by the build function, this code is passed to Python's exec() function without any sandboxing, input validation, or code sanitization. This allows attackers to execute arbitrary system commands, install backdoors, exfiltrate data, or pivot to other systems on the network.
This vulnerability is distinct from CVE-2025-3248, which addressed a similar issue in the /api/v1/validate/code endpoint by adding authentication requirements. The build_public_tmp endpoint was intentionally designed to be unauthenticated for public flows but failed to account for the risk of accepting untrusted flow data.
Root Cause
The root cause is the acceptance of user-supplied flow data containing executable Python code in an unauthenticated endpoint. The endpoint trusted the data parameter without validating that the flow data came from a legitimate source, and the code execution path lacked any sandboxing or input sanitization mechanisms.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can craft a malicious HTTP POST request to the vulnerable endpoint with a valid flow_id and include arbitrary Python code within the data parameter's node definitions. The code executes with the privileges of the Langflow server process, typically providing full system access.
According to Sysdig's analysis, attackers began exploiting this vulnerability within 20 hours of public disclosure, demonstrating the ease of exploitation and the high value targets running Langflow.
The security patch removes the data parameter from the endpoint entirely, ensuring that only stored flow data from the database can be used:
background_tasks: LimitVertexBuildBackgroundTasks,
flow_id: uuid.UUID,
inputs: Annotated[InputValueRequest | None, Body(embed=True)] = None,
- data: Annotated[FlowDataRequest | None, Body(embed=True)] = None,
files: list[str] | None = None,
stop_component_id: str | None = None,
start_component_id: str | None = None,
Source: GitHub Commit
Detection Methods for CVE-2026-33017
Indicators of Compromise
- Unexpected POST requests to /api/v1/build_public_tmp/*/flow endpoints containing data parameters with Python code
- Unusual process spawning from the Langflow server process (e.g., shell commands, reverse shells)
- Network connections from Langflow servers to unknown external IP addresses
- New user accounts or SSH keys created on systems running Langflow
Detection Strategies
- Monitor web application logs for POST requests to build_public_tmp endpoints containing suspicious data payloads
- Implement network intrusion detection rules to identify malicious Python code patterns in HTTP request bodies
- Deploy endpoint detection and response (EDR) solutions to detect anomalous process execution from Langflow processes
- Review application-level logging for flow builds with externally supplied data parameters
Monitoring Recommendations
- Enable verbose logging on Langflow instances to capture all API requests and their parameters
- Configure SIEM alerts for any access to the vulnerable endpoint pattern /api/v1/build_public_tmp/*/flow
- Monitor for indicators of cryptominer deployment or botnet activity on Langflow hosts
- Establish baseline behavior for Langflow servers and alert on deviations
How to Mitigate CVE-2026-33017
Immediate Actions Required
- Upgrade Langflow to version 1.9.0 or later immediately
- If immediate upgrade is not possible, restrict network access to Langflow instances using firewall rules
- Review Langflow server logs for evidence of exploitation attempts
- Audit systems running Langflow for signs of compromise
Patch Information
The vulnerability has been fixed in Langflow version 1.9.0. The fix removes the data parameter from the build_public_tmp endpoint entirely, preventing attackers from supplying malicious flow data. Organizations should upgrade to the latest version immediately.
Workarounds
- Implement network-level access controls to restrict access to Langflow instances to trusted IP addresses only
- Deploy a web application firewall (WAF) to block requests containing suspicious Python code patterns in POST bodies
- Disable public flow functionality if not required for business operations
- Place Langflow instances behind an authentication proxy to require authentication for all endpoints
# Example: Block access to vulnerable endpoint using nginx
location ~ ^/api/v1/build_public_tmp/.*/flow$ {
deny all;
return 403;
}
# Example: Restrict Langflow access to internal networks using iptables
iptables -A INPUT -p tcp --dport 7860 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 7860 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
