CVE-2026-33017

Overview

Actively Exploited. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on March 25, 2026 with a remediation deadline of April 8, 2026. Federal agencies are required to apply mitigations per BOD 22-01.

CVE-2026-33017 is an unauthenticated remote code execution (RCE) vulnerability in Langflow, a popular tool for building and deploying AI-powered agents and workflows. The POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of stored flow data. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution.

Relation to CVE-2025-3248 & Why This Is Distinct

This vulnerability is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. That earlier CVE was itself added to CISA's KEV catalog due to active exploitation.

Key difference: The build_public_tmp endpoint is designed to be unauthenticated (for public flows). The issue is that it incorrectly accepts attacker-supplied flow data containing arbitrary executable code via the data parameter. A simple authentication fix is insufficient — the endpoint must be restricted to only use stored flow data from the database.

Aspect	CVE-2025-3248	CVE-2026-33017
Endpoint	`/api/v1/validate/code`	`/api/v1/build_public_tmp/{id}/flow`
Fix applied	Added authentication	Removed `data` parameter (v1.9.0)
Root cause	Missing auth on code validation	Unauth endpoint accepts attacker-controlled executable code
Execution via	`validate_code()` → `exec()`	`create_class()` → `prepare_global_scope()` → `exec()`

Vulnerability Description

Unauthenticated remote code execution in Langflow via the public flow build endpoint.

The root cause is a combination of CWE-94 (Code Injection), CWE-95 (Eval Injection), and CWE-306 (Missing Authentication for Critical Function). The vulnerable endpoint /api/v1/build_public_tmp/{flow_id}/flow is designed to be unauthenticated for building public flows. However, when the optional data parameter is supplied, the endpoint uses attacker-controlled flow data instead of stored database data. The attacker's flow data contains arbitrary Python code in node definitions, which flows through the graph builder:

start_flow_build(data=attacker_data) → generate_flow_events()
create_graph() → build_graph_from_data(payload=data)
Graph.from_payload() → node initialization → instantiate_class()
eval_custom_component_code(code) → create_class()
prepare_global_scope() → exec(compiled_code, exec_globals)

The exec() call has zero sandboxing — any Python code is executed with full server process privileges. Even simple assignment statements (e.g., _x = os.system("id")) are executed during graph building, before the flow even "runs."

Prerequisites for Exploitation

Requirement	Detail
Public flow exists	Target instance has at least one public flow (common for demos, chatbots, shared workflows)
Flow UUID known	Discoverable via shared links/URLs
Authentication	None required — only a `client_id` cookie (any arbitrary string)

AUTO_LOGIN=true (the default): When auto-login is enabled, an attacker can meet all prerequisites without any credentials:

GET /api/v1/auto_login → obtain superuser token
POST /api/v1/flows/ → create a public flow
Exploit via build_public_tmp without any auth

Affected Products & Versions

Product	Affected Versions	Fixed Version
Langflow (pip)	≤ 1.8.2	1.9.0

Fix: The fix in version 1.9.0 removes the ability for the build_public_tmp endpoint to accept attacker-supplied flow data. Public flows now only execute their stored flow data from the database. Patch commit: 73b6612.

Impact

Impact Area	Detail
Confidentiality	High — Arbitrary file read, environment variable exfiltration (API keys, DB credentials, cloud tokens)
Integrity	High — Arbitrary file write, command execution, flow/data manipulation
Availability	High — Full server process control, denial of service
Attack Vector	Network — remotely exploitable over the internet
Privileges Required	None — completely unauthenticated
User Interaction	None — no user action needed

Full Server Compromise. Successful exploitation grants full server process privileges, enabling:

Arbitrary command execution and reverse shell access
Environment variable exfiltration (API keys, database credentials, cloud tokens)
Access to all flows, messages, and stored credentials in the database
Lateral movement within the network
Persistent backdoor installation

Exploitation Details

Exploitation is trivially simple. A single unauthenticated HTTP POST request with a crafted data parameter containing a malicious node definition is sufficient.

Exploitation complexity is extremely low. No authentication, no special tools, and no user interaction required. The PoC achieves 100% reproducibility (confirmed 6/6 runs across two test sets). Active exploitation in the wild has been confirmed by CISA and Sysdig.

Attack Flow

Attacker identifies a Langflow instance with a public flow (or creates one via AUTO_LOGIN).
Attacker sends a POST request to /api/v1/build_public_tmp/{flow_id}/flow with a data parameter containing a node whose code field holds arbitrary Python.
Langflow's graph builder parses the attacker's node definitions and calls prepare_global_scope() → exec() on the code.
Attacker's Python code executes with full server process privileges — during graph building, before the flow even "runs."
Attacker achieves arbitrary command execution, credential exfiltration, or reverse shell.

Mitigation & Remediation

CISA BOD 22-01 Deadline: April 8, 2026. Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Patched Version

Product	Fixed Version
Langflow	1.9.0 and later

Recommended Actions

Upgrade immediately to Langflow 1.9.0 or later.
Disable AUTO_LOGIN — set AUTO_LOGIN=false if not already done. The default AUTO_LOGIN=true setting allows unauthenticated users to create public flows, making exploitation trivial even without pre-existing public flows.
Restrict network access — if patching is not immediately possible, restrict access to the Langflow instance to trusted networks only. Do not expose Langflow directly to the internet.
Review server logs — check for suspicious POST requests to /api/v1/build_public_tmp/ endpoints, especially those with a data parameter containing code fields.
Rotate credentials — if exploitation is suspected, rotate all API keys, database credentials, cloud tokens, and other secrets accessible to the Langflow server process.
Monitor CISA KEV Catalog for updated guidance.

Property	Value
CVE ID	CVE-2026-33017
Vendor / Product	Langflow — Langflow
NVD Published	2026-03-20
NVD Last Modified	2026-03-26
CVSS 3.1 Score	9.8
CVSS 3.1 Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
Severity	CRITICAL
CWE	CWE-94
CISA KEV Added	2026-03-25
CISA KEV Deadline	2026-04-08
Known Ransomware Use	No

Date	Event
2026-03-20	CVE-2026-33017 published on NVD; GitHub advisory GHSA-vwmf-pq79-vjvx released
2026-03-25	Added to CISA Known Exploited Vulnerabilities catalog
2026-03-26	NVD record last modified
2026-04-08	CISA BOD 22-01 remediation deadline

Resource	Type
NVD — CVE-2026-33017	Vulnerability Database
CISA KEV Catalog Entry	US Government
GHSA-vwmf-pq79-vjvx — Langflow GitHub Advisory	Vendor Advisory
Langflow Patch Commit 73b6612 — Fix for build_public_tmp endpoint	Vendor Advisory
Sysdig — How Attackers Compromised Langflow AI Pipelines in 20 Hours	Security Research