CVE-2026-33017
Description
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
langflowPyPI | < 1.9.0 | 1.9.0 |
Affected products
2- Range: < 1.9.0
Patches
Vulnerability mechanics
References
12- github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0nvdPatchWEB
- github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvxnvdExploitMitigationVendor AdvisoryWEB
- medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896nvdExploitThird Party AdvisoryWEB
- github.com/advisories/GHSA-rvqx-wpfh-mfx7nvdThird Party AdvisoryADVISORY
- github.com/advisories/GHSA-vwmf-pq79-vjvxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33017ghsaADVISORY
- github.com/langflow-ai/langflow/issues/12345ghsaWEB
- github.com/langflow-ai/langflow/pull/12160ghsaWEB
- github.com/langflow-ai/langflow/releases/tag/1.8.2nvdRelease NotesWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalognvdUS Government ResourceWEB
- www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hoursnvdPress/Media CoverageWEB
News mentions
8- Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App EndpointsThe Hacker News · Jun 30, 2026
- 29th June – Threat Intelligence ReportCheck Point Research · Jun 29, 2026
- From Langflow to Monero: Inside CVE-2026-33017 CryptominerTrend Micro Research · Jun 23, 2026
- Path traversal flaw in AI dev platform Langflow exploited in attacksBleepingComputer · Jun 10, 2026
- Langflow Vulnerability CVE-2026-5027 Exploited for Unauthenticated RCEThe Hacker News · Jun 10, 2026
- ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ StoriesThe Hacker News · May 14, 2026
- 23rd March – Threat Intelligence ReportCheck Point Research · Mar 23, 2026
- Hackers Exploit Critical Langflow Bug in Just 20 HoursInfosecurity Magazine · Mar 20, 2026