Cyber Resilience

CVE-2026-33017

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 20 March 2026

Published
20 March 2026
Modified
21 May 2026
KEV Added
25 March 2026
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.9841 99.9th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-33017 is a critical-severity Code Injection (CWE-94) vulnerability in Langflow Langflow. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

Langflow, a framework for building and deploying AI-powered agents and workflows, contains an unauthenticated remote code execution vulnerability in versions prior to 1.9.0. The flaw resides in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, which is intentionally reachable without authentication for public flows. When an optional data parameter is supplied, the endpoint substitutes attacker-controlled flow definitions—containing arbitrary Python code in node definitions—for the stored database record and passes the input directly to an unsandboxed exec() call.

An unauthenticated attacker can therefore submit a malicious flow payload to achieve arbitrary code execution on the server, obtaining full control over the host process, data, and any connected resources. The issue stems from missing authentication combined with insufficient validation of externally supplied flow data, distinct from the earlier CVE-2025-3248 fix that added authentication to the /api/v1/validate/code endpoint.

Public advisories and the project repository indicate that the vulnerability is resolved in Langflow 1.9.0; the referenced commit and release notes document the corrective changes that prevent the endpoint from accepting and executing attacker-supplied code.

The affected component is central to AI workflow tooling, increasing the potential blast radius in environments that expose Langflow instances. Exploitation probability rose from lower values to a peak of 0.4365 on 2026-05-12 before receding to the current 0.2465, indicating post-disclosure attacker interest.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow…

more

data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

CWE(s)
KEV Date Added
25 March 2026

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, langflow

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

CVE-2026-33017 enables unauthenticated RCE in a public-facing web application (T1190) by executing arbitrary attacker-supplied Python code via exec() (T1059.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33873Same product: Langflow Langflow
CVE-2026-27966Same product: Langflow Langflow
CVE-2025-34291Same product: Langflow Langflowboth on KEV
CVE-2026-0770Same product: Langflow Langflow
CVE-2026-21445Same product: Langflow Langflow
CVE-2026-33309Same product: Langflow Langflow
CVE-2026-7524Same product: Langflow Langflow
CVE-2026-42048Same product: Langflow Langflow
CVE-2026-0769Same product: Langflow Langflow
CVE-2026-33484Same product: Langflow Langflow

Affected Assets

langflow
langflow
≤ 1.8.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted flow data containing Python code before it is passed to exec().

prevent

Enforces that the build_public_tmp endpoint cannot accept attacker-supplied executable payloads without proper authorization checks.

prevent

Requires mechanisms to detect and block execution of malicious code supplied via the unauthenticated flow parameter.

References