CVE-2026-33017
Published: 20 March 2026
Summary
CVE-2026-33017 is a critical-severity Code Injection (CWE-94) vulnerability in Langflow Langflow. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Langflow, a framework for building and deploying AI-powered agents and workflows, contains an unauthenticated remote code execution vulnerability in versions prior to 1.9.0. The flaw resides in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, which is intentionally reachable without authentication for public flows. When an optional data parameter is supplied, the endpoint substitutes attacker-controlled flow definitions—containing arbitrary Python code in node definitions—for the stored database record and passes the input directly to an unsandboxed exec() call.
An unauthenticated attacker can therefore submit a malicious flow payload to achieve arbitrary code execution on the server, obtaining full control over the host process, data, and any connected resources. The issue stems from missing authentication combined with insufficient validation of externally supplied flow data, distinct from the earlier CVE-2025-3248 fix that added authentication to the /api/v1/validate/code endpoint.
Public advisories and the project repository indicate that the vulnerability is resolved in Langflow 1.9.0; the referenced commit and release notes document the corrective changes that prevent the endpoint from accepting and executing attacker-supplied code.
The affected component is central to AI workflow tooling, increasing the potential blast radius in environments that expose Langflow instances. Exploitation probability rose from lower values to a peak of 0.4365 on 2026-05-12 before receding to the current 0.2465, indicating post-disclosure attacker interest.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13556
Vulnerability details
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow…
more
data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
- CWE(s)
- KEV Date Added
- 25 March 2026
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, langflow
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-33017 enables unauthenticated RCE in a public-facing web application (T1190) by executing arbitrary attacker-supplied Python code via exec() (T1059.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted flow data containing Python code before it is passed to exec().
Enforces that the build_public_tmp endpoint cannot accept attacker-supplied executable payloads without proper authorization checks.
Requires mechanisms to detect and block execution of malicious code supplied via the unauthenticated flow parameter.