CVE-2026-33497

HighPublic PoC

Published: 24 March 2026

Published

24 March 2026

Modified

24 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0003 7.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33497 is a high-severity Path Traversal (CWE-22) vulnerability in Langflow Langflow. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other AI Platforms.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses path traversal by requiring validation of untrusted inputs like folder_name and file_name parameters to reject directory traversal sequences such as '../'.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for file access in the download_profile_picture endpoint, preventing unauthorized reads of sensitive files like secret_key outside intended directories.

SC-7 Boundary Protection partial match

preventdetect

Provides boundary protection that can inspect and block network requests containing path traversal payloads targeting the unauthenticated /profile_pictures endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Path traversal in unauthenticated public endpoint enables remote exploitation of web app (T1190) for direct local file reads (T1005) including secret_key credentials (T1552.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name} endpoint, the folder_name and file_name parameters are not strictly filtered, which allows the secret_key to be read…

across directories. Version 1.7.1 contains a patch.

Deeper analysisAI

CVE-2026-33497 is a path traversal vulnerability (CWE-22) in Langflow, an open-source tool for building and deploying AI-powered agents and workflows. The flaw affects versions prior to 1.7.1 and exists in the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name} endpoint. There, the folder_name and file_name parameters are not strictly filtered, enabling directory traversal that exposes sensitive files such as the secret_key.

Remote attackers can exploit this vulnerability without authentication, privileges, or user interaction, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Exploitation involves crafting requests with manipulated folder_name or file_name values to traverse directories and retrieve confidential data like secret keys, resulting in high-impact confidentiality violations over the network with low attack complexity.

Langflow version 1.7.1 includes a patch to address the issue. Additional details on the vulnerability and remediation are available in the GitHub Security Advisory at https://github.com/langflow-ai/langflow/security/advisories/GHSA-ph9w-r52h-28p7.

Details

CWE(s): CWE-22

Affected Products

langflow

≤ 1.7.1

AI Security AnalysisAI

AI Category: Other AI Platforms
Risk Domain: N/A
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: ai

CVEs Like This One

CVE-2026-33484Same product: Langflow Langflow

CVE-2026-33309Same product: Langflow Langflow

CVE-2026-21445Same product: Langflow Langflow

CVE-2026-33017Same product: Langflow Langflow

CVE-2026-33873Same product: Langflow Langflow

CVE-2026-33053Same product: Langflow Langflow

CVE-2026-27966Same product: Langflow Langflow

CVE-2026-0770Same product: Langflow Langflow

CVE-2025-34291Same product: Langflow Langflow

CVE-2026-33475Same product: Langflow Langflow

References

https://github.com/langflow-ai/langflow/security/advisories/GHSA-ph9w-r52h-28p7
Exploit, Vendor Advisory · security-advisories@github.com