Cyber Resilience

CVE-2026-33497

HighPublic PoC

Published: 24 March 2026

Published
24 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0799 94.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33497 is a high-severity Path Traversal (CWE-22) vulnerability in Langflow Langflow. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-33497 is a path traversal vulnerability (CWE-22) in Langflow, an open-source tool for building and deploying AI-powered agents and workflows. The flaw affects versions prior to 1.7.1 and exists in the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name} endpoint. There, the folder_name and file_name parameters are not strictly filtered, enabling directory traversal that exposes sensitive files such as the secret_key.

Remote attackers can exploit this vulnerability without authentication, privileges, or user interaction, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Exploitation involves crafting requests with manipulated folder_name or file_name values to traverse directories and retrieve confidential data like secret keys, resulting in high-impact confidentiality violations over the network with low attack complexity.

Langflow version 1.7.1 includes a patch to address the issue. Additional details on the vulnerability and remediation are available in the GitHub Security Advisory at https://github.com/langflow-ai/langflow/security/advisories/GHSA-ph9w-r52h-28p7.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name} endpoint, the folder_name and file_name parameters are not strictly filtered, which allows the secret_key to be read…

more

across directories. Version 1.7.1 contains a patch.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, langflow

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Path traversal in unauthenticated public endpoint enables remote exploitation of web app (T1190) for direct local file reads (T1005) including secret_key credentials (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7524Same product: Langflow Langflow
CVE-2026-42048Same product: Langflow Langflow
CVE-2026-33484Same product: Langflow Langflow
CVE-2026-33309Same product: Langflow Langflow
CVE-2026-21445Same product: Langflow Langflow
CVE-2026-33017Same product: Langflow Langflow
CVE-2026-0770Same product: Langflow Langflow
CVE-2026-33873Same product: Langflow Langflow
CVE-2026-27966Same product: Langflow Langflow
CVE-2025-34291Same product: Langflow Langflow

Affected Assets

langflow
langflow
≤ 1.7.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses path traversal by requiring validation of untrusted inputs like folder_name and file_name parameters to reject directory traversal sequences such as '../'.

prevent

Enforces approved authorizations for file access in the download_profile_picture endpoint, preventing unauthorized reads of sensitive files like secret_key outside intended directories.

preventdetect

Provides boundary protection that can inspect and block network requests containing path traversal payloads targeting the unauthenticated /profile_pictures endpoint.

References