Langflow CVE-2026-33017: Unauthenticated RCE Exploited Within 20 Hours, Now on CISA KEV
Commissioned, Curated and Published by Russ. Researched and written with AI.
On March 17, 2026 at 20:05 UTC, Langflow published a security advisory for CVE-2026-33017. By 16:04 UTC the following day – roughly 20 hours later – attackers were already hitting honeypot instances across multiple cloud providers and regions. No public proof-of-concept existed. The advisory description alone was enough.
CISA added CVE-2026-33017 to its Known Exploited Vulnerabilities catalog on March 25.
What Langflow Is
Langflow is an open-source visual framework for building AI agents and RAG pipelines. It has 145,000+ GitHub stars and is widely used by teams prototyping and running production AI workflows. It exposes a REST API for building and executing flows programmatically – which is exactly where the vulnerability lives.
The Vulnerability
CVE-2026-33017 (CVSS 9.3) sits in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint. This endpoint is designed to let unauthenticated users build public flows – a feature, not a bug. The problem is that the endpoint accepts attacker-supplied flow data containing arbitrary Python code in node definitions, which the server then executes without any sandboxing via the same exec() call that underpinned the previous Langflow RCE.
That previous vulnerability – CVE-2025-3248, CVSS 9.8 – used the /api/v1/validate/code endpoint and was actively exploited by the Flodrix botnet before landing on the KEV catalog in May 2025. CVE-2026-33017 is a different endpoint, same architectural mistake.
The researcher who found it, Aviral Srivastava, reported the flaw on February 26, 2026. His path to discovery was direct: he read the patch for the previous CVE, noticed the exec() call was still present elsewhere in the codebase, and traced it to the public build endpoint. One unauthenticated HTTP request, arbitrary code execution with the privileges of the Langflow process.
There is an additional wrinkle. When Langflow runs with AUTO_LOGIN=true – the default configuration – an attacker doesn’t even need to know a public flow UUID. They can call /api/v1/auto_login to obtain a superuser token, create a public flow themselves, then exploit it. The barrier drops to zero.
What Attackers Did With It
Sysdig’s threat research team deployed honeypots within hours of the advisory and observed 6 unique source IPs across 48 hours. The first exploitation came from automated scanning infrastructure – four source IPs arriving within minutes of each other, all sending an identical payload that ran id, base64-encoded the output, and exfiltrated it to a callback server. No PoC required; the attackers built working exploits directly from the advisory text.
More advanced attackers followed. Within hours, Sysdig observed progression to environment variable exfiltration – the kind of access that surfaces database credentials, API keys, and anything else Langflow’s server process can reach. For teams using Langflow to orchestrate AI workflows, that environment typically includes credentials to connected data stores, LLM provider keys, and potentially cloud provider IAM tokens.
Why the Timeline Matters
Twenty hours is not unusual for high-CVSS vulnerabilities. What’s notable here is the absence of a PoC. The assumption that attackers need a ready-made exploit repository before they can operationalize a disclosure is outdated. If the advisory contains the endpoint path and the mechanism, that’s sufficient. Patch cycles that assume a grace period between disclosure and exploitation are calibrated to a threat model that no longer exists.
This is also the second exploited critical RCE in Langflow in under two years. The same exec() call, the same unauthenticated access pattern, a different endpoint. If you are running Langflow, the question worth asking is not just whether you have patched this specific CVE – it is whether your deployment is network-accessible in the first place.
What To Do
Upgrade to Langflow v1.9.0. The fix removes the data parameter from the build_public_tmp function in chat.py, which closes the injection path.
If you cannot upgrade immediately: restrict network access to the Langflow API. If it does not need to be internet-accessible, it should not be. Review environment variables available to the Langflow process and rotate any credentials that were exposed on accessible instances.
CISA’s binding operational directive applies to federal agencies with a due date of April 15, 2026. If you are not a federal agency, that deadline is still a reasonable benchmark for a CVSS 9.3 actively exploited vulnerability.
The architectural problem – unauthenticated endpoints that execute user-supplied code – is not fixed by patching one endpoint. Teams evaluating Langflow for production use should factor this pattern into their threat model.