{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33017", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T17:22:14.666Z", "datePublished": "2026-03-20T04:52:52.885Z", "dateUpdated": "2026-03-25T22:20:23.807Z"}, "containers": {"cna": {"title": "Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "lang": "en", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-95", "lang": "en", "description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L", "version": "4.0"}}], "references": [{"name": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx"}, {"name": "https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0", "tags": ["x_refsource_MISC"], "url": "https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0"}, {"name": "https://github.com/advisories/GHSA-rvqx-wpfh-mfx7", "tags": ["x_refsource_MISC"], "url": "https://github.com/advisories/GHSA-rvqx-wpfh-mfx7"}], "affected": [{"vendor": "langflow-ai", "product": "langflow", "versions": [{"version": "< 1.9.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T04:52:52.885Z"}, "descriptions": [{"lang": "en", "value": "Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0."}], "source": {"advisory": "GHSA-vwmf-pq79-vjvx", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours", "tags": ["third-party-advisory"]}, {"url": "https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896", "tags": ["exploit"]}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33017", "tags": ["government-resource"]}, {"url": "https://github.com/langflow-ai/langflow/releases/tag/1.8.2", "tags": ["patch"]}, {"name": "CISA KEV", "tags": ["government-resource"], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017"}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T16:45:41.195522Z", "id": "CVE-2026-33017", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2026-03-25", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T22:20:23.807Z"}, "timeline": [{"time": "2026-03-25T00:00:00.000Z", "lang": "en", "value": "CVE-2026-33017 added to CISA KEV"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33017", "role": "CISA Coordinator", "options": [{"Exploitation": "active"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T16:45:41.195522Z"}}}], "references": [{"url": "https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours", "tags": ["third-party-advisory"]}, {"url": "https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896", "tags": ["exploit"]}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33017", "tags": ["government-resource"]}, {"url": "https://github.com/langflow-ai/langflow/releases/tag/1.8.2", "tags": ["patch"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T17:10:40.185Z"}}], "cna": {"title": "Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint", "source": {"advisory": "GHSA-vwmf-pq79-vjvx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "langflow-ai", "product": "langflow", "versions": [{"status": "affected", "version": "< 1.9.0"}]}], "references": [{"url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx", "name": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0", "name": "https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/advisories/GHSA-rvqx-wpfh-mfx7", "name": "https://github.com/advisories/GHSA-rvqx-wpfh-mfx7", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-95", "description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T04:52:52.885Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33017", "state": "PUBLISHED", "dateUpdated": "2026-03-25T17:55:21.765Z", "dateReserved": "2026-03-17T17:22:14.666Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T04:52:52.885Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cisaActionDue": "2026-04-08", "cisaExploitAdd": "2026-03-25", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Langflow Code Injection Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "B38E7511-B77D-4E5F-B33A-458EE5770358", "versionEndExcluding": "1.8.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0."}, {"lang": "es", "value": "Langflow es una herramienta para construir y desplegar agentes y flujos de trabajo impulsados por IA. En versiones anteriores a la 1.9.0, el endpoint POST /api/v1/build_public_tmp/{flow_id}/flow permite construir flujos p\u00fablicos sin requerir autenticaci\u00f3n. Cuando se suministra el par\u00e1metro opcional data, el endpoint utiliza datos de flujo controlados por el atacante (que contienen c\u00f3digo Python arbitrario en las definiciones de nodos) en lugar de los datos de flujo almacenados en la base de datos. Este c\u00f3digo se pasa a exec() sin ning\u00fan sandboxing, lo que resulta en una ejecuci\u00f3n remota de c\u00f3digo no autenticada. Esto es distinto de CVE-2025-3248, que corrigi\u00f3 /api/v1/validate/code a\u00f1adiendo autenticaci\u00f3n. El endpoint build_public_tmp est\u00e1 dise\u00f1ado para no requerir autenticaci\u00f3n (para flujos p\u00fablicos) pero acepta incorrectamente datos de flujo suministrados por el atacante que contienen c\u00f3digo ejecutable arbitrario. Este problema ha sido solucionado en la versi\u00f3n 1.9.0."}], "id": "CVE-2026-33017", "lastModified": "2026-03-25T23:17:09.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T05:16:15.550", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/advisories/GHSA-rvqx-wpfh-mfx7"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Release Notes"], "url": "https://github.com/langflow-ai/langflow/releases/tag/1.8.2"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["US Government Resource"], "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-33017"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Press/Media Coverage"], "url": "https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-95"}, {"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.9.0)"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "langflow", "source": "cna", "vendor": "langflow-ai"}, "product": "langflow", "vendor": "langflow"}], "analysis": {"en": {"generated_at": "2026-03-25T20:33:50.922048+00:00", "value": {"mitigation_remediation": ["Upgrade Langflow to version 1.9.0 or later.", "If an upgrade is not immediately possible, restrict access to the /api/v1/build_public_tmp/{flow_id}/flow endpoint or enforce authentication for this route.", "Implement input validation on the data payload to reject untrusted Python code before execution as a temporary mitigator."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Langflow application from langflow\u2011ai, specifically any deployment of versions earlier than 1.9.0. Clients that rely on the public flow build feature without enforcing authentication are at risk. Full vendor and product details locate the issue in the open source Langflow repository.", "description_and_impact": "A flaw in the public flow build endpoint of Langflow allows an attacker to supply arbitrary Python code that is executed without any sandboxing. By posting malicious flow data to the endpoint, an unauthenticated actor can run code on the server with the privileges of the Langflow process, leading to full compromise of the host. The weakness involves unprotected execution of user-supplied code, a classic remote code execution scenario.", "risk_and_exploitability": "The CVSS score of 9.3 places the flaw in the high\u2011to\u2011critical band, and although the EPSS score is under 1%, the vulnerability is listed in the CISA KEV catalog, indicating known exploitation activity. Attackers can trigger the flaw by sending a crafted HTTP POST request to /api/v1/build_public_tmp/{flow_id}/flow, supplying flow data containing executable code. No authentication or additional conditions are required, making the exploit straightforward for an attacker with network access to the service."}}}}, "created": "2026-03-20T08:52:34.755517+00:00", "updated": "2026-03-25T21:28:17.032790+00:00", "vendors": ["langflow", "langflow$PRODUCT$langflow"]}