Critical Remote Code Execution Vulnerability in Langflow AI Platform
A critical unauthenticated remote code execution vulnerability, identified as CVE-2026-33017, has been discovered in Langflow, an open-source platform widely used to build AI-powered workflows and agentic pipelines. With a CVSS v3.1 score of 9.8, the vulnerability allows unauthenticated remote attackers to execute arbitrary code on vulnerable Langflow servers, requiring no credentials, user interaction, or special network positioning. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-33017 to its Known Exploited Vulnerabilities (KEV) Catalog on March 25, 2026, with a federal remediation deadline of April 8, 2026.
The flaw resides in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, which was designed to allow unauthenticated access to publicly shared flows. When the optional data parameter is supplied, the endpoint incorrectly processes attacker-controlled flow definitions—containing arbitrary Python code embedded in node definitions—instead of retrieving the flow's stored configuration from the database. This attacker-supplied code is passed to Python's exec() function within validate.py without sandboxing, input validation, or authentication enforcement, resulting in full system-level code execution at the privilege level of the Langflow service. The root cause reflects a confluence of missing authentication for a critical function and unsafe dynamic code evaluation (CWE-306, CWE-94, CWE-95). Langflow version 1.9.0 resolves the vulnerability by removing the injectable data parameter from the endpoint entirely, ensuring public flows can only execute their stored database configuration.
CVE-2026-33017 represents the second critical exec()-based remote code execution vulnerability to affect Langflow within a year. Its predecessor, CVE-2025-3248 (CVSS v3.1 9.8), exploited a different endpoint—/api/v1/validate/code—through the same underlying unsafe Python evaluation pattern and was fixed in version 1.3.0. The recurrence of exploitable exec() pathways in separate endpoints within the same codebase indicates a systemic design pattern of unsafe code evaluation that extends beyond any single patch. Security researchers observed active exploitation attempts within 20 hours of the advisory's publication on March 17, 2026, with threat actors scanning for exposed Langflow instances and deploying custom exploit scripts to extract sensitive server data—without relying on any publicly released proof-of-concept code. Organizations deploying Langflow in development, MLOps, and AI agent orchestration environments face immediate and elevated risk.
Threats and Vulnerabilities
CVE-2026-33017, with a CVSS v3.1 score of 9.8 (Critical) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, affects all Langflow versions up to and including 1.8.2. The vulnerability exists in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, which was intended to facilitate unauthenticated access to publicly shared AI workflow definitions. When the optional data parameter is included in a request, the endpoint substitutes the caller's supplied flow data in place of the database-stored configuration and passes attacker-controlled Python code embedded in node definitions to Python's native exec() function via the prepare_global_scope() routine in validate.py, without any sandboxing or privilege boundary. Classified under CWE-306 (Missing Authentication for Critical Function), CWE-94 (Code Injection), and CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code), the flaw enables a remote, unauthenticated attacker to achieve full system compromise—reading sensitive configuration files and environment variables, exfiltrating secrets such as API keys and database credentials, establishing persistence, or pivoting to connected infrastructure. The GitHub Security Advisory GHSA-vwmf-pq79-vjvx, published March 16, 2026, documents the issue; the patch removes the data parameter entirely from the vulnerable endpoint. Security researcher Aviral Srivastava reported the vulnerability on February 26, 2026.
CVE-2025-3248, with a CVSS v3.1 score of 9.8 (Critical) and an identical network-accessible, zero-authentication attack vector, affected Langflow versions prior to 1.3.0. This earlier vulnerability exploited the /api/v1/validate/code endpoint to achieve unauthenticated remote code execution through the same underlying exec() call. CISA added CVE-2025-3248 to its KEV Catalog with a remediation deadline of May 26, 2025. The reappearance of an exploitable exec() pathway in a separate Langflow endpoint—despite a prior critical-severity patch—illustrates that the underlying architectural pattern of executing user-supplied code without adequate isolation persists across the codebase, and warrants architectural remediation beyond per-endpoint patching.
Client Impact
Organizations running Langflow in any capacity face direct and immediate risk of unauthenticated server compromise. Langflow instances are frequently deployed in development environments, internal AI tooling stacks, and MLOps pipelines—often with access to production databases, cloud provider credentials, API keys, and environment variables containing secrets. Successful exploitation of CVE-2026-33017 can result in full control of the hosting server, exfiltration of all accessible credentials and configuration data, and lateral movement to connected cloud or enterprise resources. Because the vulnerability requires no authentication and no user interaction, any internet-accessible Langflow instance that has not been upgraded to version 1.9.0 or placed behind authenticated access controls is trivially exploitable by any threat actor capable of issuing a crafted HTTP POST request. The active exploitation observed within 20 hours of disclosure—and confirmed by CISA's KEV designation—demonstrates that exploitation is not theoretical but ongoing.
From a regulatory and compliance standpoint, exploitation of CVE-2026-33017 on systems that process personal data, financial records, or government-regulated workloads could trigger mandatory breach notification obligations under GDPR, HIPAA, or applicable state privacy laws. For U.S. federal agencies, CISA's KEV designation establishes a mandatory remediation deadline of April 8, 2026, under Binding Operational Directive 22-01. Organizations subject to NERC CIP, NIST SP 800-53, or FedRAMP authorization requirements must treat this vulnerability as a high-priority remediation item and document their response, including whether any exploitation may have occurred prior to patching.
Mitigations
Organizations using Langflow should immediately take the following actions to address CVE-2026-33017.
1. Update all Langflow deployments to version 1.9.0 or later, which removes the injectable data parameter from the vulnerable /api/v1/build_public_tmp/{flow_id}/flow endpoint and closes the unauthenticated code execution pathway.
2. If immediate patching is not feasible, restrict access to all Langflow interfaces via firewall rules, VPN requirements, or authenticated reverse proxies to prevent unauthenticated network access to the API from untrusted sources.
3. Audit environment variables, API keys, database credentials, and cloud provider secrets accessible from systems running Langflow; rotate any credentials that may have been exposed on instances with prior internet-accessible deployments.
4. Review server and application logs for evidence of exploitation, focusing specifically on POST requests to /api/v1/build_public_tmp/ endpoints containing non-empty data parameters, and on anomalous outbound network connections or file access patterns originating from the Langflow process.
5. Inventory all Langflow deployments across development, staging, and production environments—including containerized and cloud-hosted instances—to ensure no vulnerable deployments are overlooked in the patching effort.
6. Verify that remediation for CVE-2025-3248 (Langflow >= 1.3.0) remains in place across the environment; organizations that deferred that earlier critical patch are doubly exposed and should prioritize a direct upgrade to version 1.9.0.
Prompt patching and strict network access controls remain the most effective defenses. Any internet-facing Langflow deployment should be treated as potentially compromised until fully patched and audited for signs of prior exploitation.
1898 & Co. Response
1898 & Co. continuously monitors threat intelligence sources and vulnerability disclosures to provide timely guidance on critical security events affecting our clients' technology environments. Our cybersecurity professionals maintain awareness of vulnerabilities affecting AI and machine learning platforms, including infrastructure used to build and orchestrate AI-powered workflows such as Langflow, recognizing that AI tooling increasingly sits at the intersection of development pipelines and sensitive enterprise data.
Our team provides vulnerability management and advisory services to help clients assess their exposure to issues such as CVE-2026-33017 and prioritize remediation based on their specific deployment configurations, network posture, and risk tolerance. When active exploitation is confirmed and regulatory deadlines apply—as is the case here with CISA's KEV designation—1898 & Co. assists clients in accelerating patch deployment, implementing interim access controls, and conducting forensic reviews to determine whether exploitation may have already occurred on affected systems.
1898 & Co. has a demonstrated track record of supporting clients through high-urgency vulnerability disclosures across operational technology, enterprise IT, and emerging AI infrastructure. Our advisory services draw on deep expertise in both traditional industrial environments and the rapidly evolving AI tool landscape, ensuring that clients operating at the intersection of these domains receive relevant, actionable, and operationally grounded guidance.
Sources
1. National Vulnerability Database — CVE-2026-33017
2. National Vulnerability Database — CVE-2025-3248
3. GitHub Security Advisory — GHSA-vwmf-pq79-vjvx (CVE-2026-33017)