CVE-2026-33017

CVE-2026-33017 is a critical vulnerability in Langflow, a tool for building and deploying AI-powered agents and workflows, affecting versions prior to 1.9.0. The issue lies in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, which is designed to allow unauthenticated building of public flows. When the optional "data" parameter is supplied, the endpoint processes attacker-controlled flow data—containing arbitrary Python code in node definitions—instead of the stored database flow data. This code is executed via exec() with no sandboxing, enabling unauthenticated remote code execution. The vulnerability is classified under CWE-94, CWE-95, and CWE-306, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Any unauthenticated attacker with network access can exploit this vulnerability by sending a crafted POST request to the endpoint, specifying a flow_id and a malicious "data" payload embedding executable Python code within flow node definitions. No user interaction is required, and exploitation complexity is low. Successful attacks result in full remote code execution on the server, allowing attackers to achieve high-impact compromise of confidentiality, integrity, and availability, such as data theft, persistence, or further lateral movement.

The vulnerability has been fixed in Langflow version 1.9.0, as detailed in GitHub Security Advisories GHSA-rvqx-wpfh-mfx7 and GHSA-vwmf-pq79-vjvx, the fix commit 73b6612e3ef25fdae0a752d75b0fabd47328d4f0, and related release notes. Security practitioners should upgrade to version 1.9.0 or later and review configurations for exposed public flow endpoints. This issue is distinct from CVE-2025-3248, which addressed authentication on a different endpoint, and was identified through code review, as described in a Medium post by the discoverer.