CVE-2026-33017 in Langflow
Summary
by MITRE • 03/20/2026
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability identified as CVE-2026-33017 affects Langflow, a platform for constructing and deploying AI-powered agents and workflows. This security flaw exists in versions prior to 1.9.0 and specifically targets the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint. The vulnerability stems from an improper implementation of access control mechanisms that allows unauthorized users to execute arbitrary code through the public flow building functionality. The endpoint was designed to be accessible without authentication for public flows, but the implementation failed to properly validate or sanitize user-supplied data that could contain malicious code.
The technical exploitation of this vulnerability occurs when an attacker supplies a data parameter containing attacker-controlled flow data with arbitrary Python code embedded within node definitions. This code bypasses normal security boundaries and is directly executed through the exec() function without any sandboxing or code validation. The lack of input sanitization and execution environment isolation creates a critical remote code execution vector that can be exploited by unauthenticated attackers. The vulnerability represents a direct violation of secure coding practices and demonstrates a dangerous use of dynamic code execution in web applications.
The operational impact of this vulnerability is severe as it allows attackers to execute arbitrary commands on the affected system with the privileges of the application process. This can lead to complete system compromise, data exfiltration, lateral movement within networks, and persistent backdoor installation. The vulnerability affects any organization using Langflow versions before 1.9.0, particularly those with public flows that are accessible to unauthenticated users. Attackers can leverage this to gain unauthorized access to sensitive data, manipulate workflow configurations, or use the compromised system as a pivot point for further attacks. The vulnerability's severity is amplified by the fact that it requires no authentication and can be exploited through a simple HTTP request.
The root cause of this vulnerability aligns with CWE-94, which describes the improper execution of code, and specifically relates to CWE-74, which deals with injection flaws. From an adversarial perspective, this vulnerability maps to ATT&CK technique T1059.001 for command and scripting interpreter and T1566 for spearphishing with a malicious attachment, as attackers could potentially use this to establish initial access or execute malicious payloads. Organizations should immediately upgrade to Langflow version 1.9.0 or later to remediate this vulnerability. Additional mitigations include implementing proper input validation, using sandboxed execution environments, and restricting access to public endpoints that process user-supplied data. Network segmentation and monitoring for unusual API activity can also help detect exploitation attempts. The vulnerability highlights the critical importance of secure coding practices, particularly when dealing with dynamic code execution and user-supplied inputs in web applications.