CVE-2026-33017

March 20, 2026, 7:16 p.m.

9.3
Critical

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

Product(s) Impacted

Vendor Product Versions
Langflow
  • Langflow
  • <1.9.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-94
Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a langflow langflow <1.9.0 / / / / / / /

References

https://github.com/advisories/GHSA-rvqx-wpfh-mfx7
https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0
https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx
https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours

Tags

[email protected]
CWE-94
2026-03-20
CVE-2026-33017

CVSS Score

9.3 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: NONE
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
  • Exploit Maturity: NOT_DEFINED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: March 20, 2026, 5:16 a.m.
Last Modified: March 20, 2026, 7:16 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

[email protected]

Relations

Here is the list of observables linked to the vulnerability CVE-2026-33017 using threat intelligence.

Linked Attack Reports

CVE-2026-33017: How attackers compromised Langflow AI pipelines in 20 hours

A critical vulnerability in Langflow, an open-source visual framework for AI agents and RAG pipelines, was disclosed on March 17, 2026. The vulnerability, CVE-2026-33017, allows unauthenticated remote code execution on exposed Langflow instances. Within 20 hours, exploitation attempts were observed…
vulnerability
exploitation
ai
data exfiltration
rce
honeypot
langflow
2026-03-20
CVE-2026-33017
Published: March 20, 2026
Linked vulnerabilities : CVE-2025-3248 (CVSS 9.8), CVE-2026-33017 (CVSS 9.3)
Downloadable IOCs: 1

March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day

In March 2026, 31 high-impact vulnerabilities were identified requiring prioritization for remediation, with 29 receiving Very Critical Risk Scores. Affected vendors included Cisco, Microsoft, Google, ConnectWise, and others, with Microsoft and Apple accounting for approximately 32% of vulnerabilit…
ransomware
remote code execution
deserialization vulnerability
CVE-2025-32432
CVE-2025-54068
CVE-2025-26399
CVE-2025-53521
CVE-2025-68613
CVE-2026-20963
CVE-2026-27483
CVE-2026-21385
CVE-2021-30952
CVE-2023-41974
plasmagrid
CVE-2026-20131
CVE-2026-27944
CVE-2017-7921
CVE-2026-21262
CVE-2026-25187
CVE-2026-26127
CVE-2026-3909
CVE-2026-3910
CVE-2026-3564
ghostblade
ghostknife
ghostsaber
CVE-2026-33017
CVE-2026-3055
CVE-2026-33634
CVE-2026-33032
2026-04-14
cisco fmc
ios exploit kit
plasmaloader
zero-day exploitation
Published: April 14, 2026
Linked vulnerabilities : CVE-2025-32432 (CVSS 10.0), CVE-2025-54068 (CVSS 9.2), CVE-2025-26399 (CVSS 9.8), CVE-2025-53521 (CVSS 8.7), CVE-2025-68613 (CVSS 9.9), CVE-2026-20963 (CVSS 8.8), CVE-2026-27483 (CVSS 8.8), CVE-2026-21385 (CVSS 7.8), CVE-2023-41974, CVE-2021-30952, CVE-2026-20131 (CVSS 10.0), CVE-2026-27944 (CVSS 9.8), CVE-2017-7921, CVE-2026-21262 (CVSS 8.8), CVE-2026-25187 (CVSS 7.8), CVE-2026-26127 (CVSS 7.5), CVE-2026-3909 (CVSS 8.8), CVE-2026-3910 (CVSS 8.8), CVE-2026-3564 (CVSS 9.0), CVE-2026-33017 (CVSS 9.3), CVE-2026-3055 (CVSS 9.3), CVE-2026-33634 (CVSS 9.4), CVE-2026-33032 (CVSS 9.8)
Downloadable IOCs: 2

How attackers are jailbreaking LLMs with CTF framing and how to catch them

Threat actors are bypassing AI model safety guardrails by framing exploit requests as legitimate security research, such as capture-the-flag challenges or CVE-hunting exercises. This technique manipulates upstream LLMs into generating working exploit code that attackers deploy against real targets.…
credential harvesting
CVE-2026-33017
CVE-2026-39987
ai agent exploitation
CVE-2026-40281
CVE-2026-42208
CVE-2026-42271
CVE-2026-44336
CVE-2026-44694
CVE-2026-42266
CVE-2026-42589
CVE-2026-45331
CVE-2026-45397
CVE-2026-45672
CVE-2026-45301
2026-06-15
ai platform targeting
ctf framing
cve exploitation
CVE-2026-42302
CVE-2026-47391
llm jailbreaking
prompt injection
rce campaigns
Published: June 15, 2026
Linked vulnerabilities : CVE-2026-0770 (CVSS 9.8), CVE-2026-33017 (CVSS 9.3), CVE-2026-39987 (CVSS 9.3), CVE-2026-40281 (CVSS 10.0), CVE-2026-42208 (CVSS 9.3), CVE-2026-42271 (CVSS 8.7), CVE-2026-44336 (CVSS 9.4), CVE-2026-44694 (CVSS 7.2), CVE-2026-42589 (CVSS 9.8), CVE-2026-45331 (CVSS 8.5), CVE-2026-45672 (CVSS 8.8), CVE-2026-45301 (CVSS 8.1), CVE-2026-47391
Downloadable IOCs: 6

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.