CVE-2026-33017 is a critical vulnerability affecting Langflow, a tool designed for building and deploying AI-powered agents and workflows. This vulnerability allows unauthenticated remote code execution through the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint in versions prior to 1.9.0. With a CVSS score of 9.3, this vulnerability poses significant risk to organizations, necessitating immediate attention and remediation.
The vulnerability arises when the optional data parameter is supplied to the endpoint, which then uses attacker-controlled flow data instead of the stored flow data from the database. This data can contain arbitrary Python code, which is executed without any sandboxing via the exec() function. This issue, distinct from CVE-2025-3248, highlights a significant security flaw in the design of the build_public_tmp endpoint, which was intended to be unauthenticated but improperly accepts malicious input.
Organizations should prioritize patching immediately to mitigate the risks associated with this vulnerability. The flaw has been addressed in version 1.9.0, and failure to update could lead to unauthorized access and control over critical systems.
As this vulnerability is actively tracked in the Known Exploited Vulnerabilities (KEV) catalog, organizations are urged to follow applicable guidance and implement necessary mitigations by the specified due date.
Vulnerability Details
The vulnerability is described in detail as follows: Langflow allows building public flows without requiring authentication. The POST /api/v1/build_public_tmp/{flow_id}/flow endpoint is designed for public flows but incorrectly processes attacker-supplied flow data, leading to unauthenticated remote code execution.
This vulnerability has a CVSS score of 9.3, indicating a critical severity level. It is classified under several CWEs, including CWE-94 (Code Injection), CWE-95 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), and CWE-306 (Missing Authentication for Critical Function).
Technical Analysis
The root cause of this vulnerability stems from the endpoint's failure to validate and sanitize input data properly. The attack vector is over a network, with low attack complexity, meaning that attackers can exploit this vulnerability with minimal effort and without needing special privileges or user interaction.
Exploiting this vulnerability requires no authentication, allowing attackers to execute arbitrary commands remotely. The impacts of this vulnerability are severe, as it affects confidentiality, integrity, and availability, all rated high. Organizations using affected versions of Langflow must recognize the potential blast radius and take immediate action.
Risk & Impact Analysis
Risk to organizations includes unauthorized access to sensitive data and systems, compromising the integrity of workflows and potentially leading to further exploitation of internal resources. Given the accessible nature of this vulnerability, the urgency for organizations to address it is critical. The potential for widespread impact necessitates immediate action to patch or mitigate the issue.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | Yes |
Public PoC | Yes |
Actively Exploited | Yes |
Ransomware Use | No |
Affected Versions
All versions of Langflow prior to 1.9.0 are affected by this vulnerability. Organizations must upgrade to version 1.9.0 or later to mitigate the risk associated with this flaw.
Mitigation & Remediation
To address CVE-2026-33017, organizations should apply the latest patch provided by Langflow, specifically version 1.9.0, which resolves the vulnerability. If patching is not feasible, organizations are encouraged to implement alternative security measures, such as limiting access to the affected endpoint and monitoring logs for suspicious activity. For more comprehensive security practices, consider engaging in penetration testing that assesses the effectiveness of your existing security controls.
Detection Guidance
Organizations should monitor logs for any unauthorized attempts to access the build_public_tmp endpoint or unusual patterns that may indicate exploitation attempts. Key indicators include unexpected flow builds or errors related to executing Python code. Implementing network segmentation and access controls around Langflow instances can help mitigate risks.
AppSecure Threat Intelligence Insight
The long-term significance of CVE-2026-33017 lies in its demonstration of how inadequate input validation can lead to severe vulnerabilities in software systems. This case emphasizes the necessity for thorough security reviews during the development lifecycle of software, particularly for systems exposed to the internet.
Security teams must remain vigilant and adapt to emerging threats, particularly those that exploit design flaws like this one. It is crucial to establish a culture of security awareness and proactive measures, including regular security assessments and audits. For further insights into effective security practices, refer to our penetration testing methodology and vulnerability management program design guides.
In conclusion, CVE-2026-33017 is a critical vulnerability that requires immediate remediation. Organizations must stay informed about such vulnerabilities and implement necessary security measures to protect their systems.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)