CVE-2026-33017 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-03-20

Added to CISA KEV: 2026-03-25 5 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
IMMEDIATE: Upgrade to Langflow version 1.9.0 or later
URGENT: If immediate patching is not possible, temporarily disable or restrict access to public flow endpoints
Review all public flows and their UUIDs for potential compromise
Monitor network traffic for suspicious POST requests to /api/v1/build_public_tmp/ endpoints
Rotate all credentials and API keys that may have been exposed
Implement network-level access controls to restrict exposure if public access is not required
Priority: CRITICAL - Patch within 24-48 hours due to active exploitation

🔍 Web Intelligence (Kagi · 2026-03-25)

CVE-2026-33017 is a critical vulnerability affecting Langflow, an open-source visual framework used for building AI agents and Retrieval-Augmented Generation (RAG) pipelines ^[2].

Here's what is known about its exploitation:

Internet-facing applications or services: The vulnerability affects internet-facing applications that have at least one public Langflow flow ^[1]. This is common for demonstrations, chatbots, or shared workflows ^[1].
Evidence of active exploitation: Active exploitation has been observed in the wild. Attackers were able to develop working exploits within 20 hours of the vulnerability's disclosure and began scanning the internet for vulnerable instances ^[3].
Attack vectors and exploitation methods: The vulnerability allows for unauthenticated remote code execution (RCE) ^[2]. Attackers can exploit this by leveraging a public flow's UUID, which can be discovered via shared links or URLs ^[1]. The exploit involves executing code like `_x = os.system("id")` during the graph building phase, before the flow even "runs" ^[1]. This is possible because the code is passed to `exec()` with zero sandboxing ^[5]. Successful exploitation grants attackers full server process privileges, enabling arbitrary command execution ^[2]. Information exfiltrated includes keys and credentials, potentially leading to access to connected databases and software supply chain compromise ^[3].
Targeted attacks: While active exploitation is confirmed, the provided information does not specify if it has been used in targeted attacks.
CISA Known Exploited Vulnerabilities (KEV) status: CVE-2026-33017 has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog ^[4]. This addition is based on evidence of active exploitation ^[4].
Technical details about internet exploitability: The vulnerability is exploitable remotely and unauthenticated ^[2]. An attacker needs to know the public flow's UUID to initiate an attack ^[1]. The core issue lies in the un-sandboxed execution of code passed to `exec()` during graph building ^[1]^[5].

Sources

CVE-2026-33017 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-33017: LangFlow vulnerability analysis and mitigation. Summary.An attacker's code like _x = os.system("id") is an assignment and will be executed during graph building -- before the flow even "runs." Prerequisites. Target Langflow instance has at least one public flow (common for demos, cha…
From Disclosure to Exploitation Overnight of a CVE-2026-33017 Langflow ...
CVE-2026-33017 is a critical unauthenticated remote code execution (RCE) vulnerability affecting Langflow, the popular open-source visual framework for building AI agents and Retrieval-Augmented Generation (RAG) pipelines. The impact of CVE-2026-33017 is severe and far-reaching. Successful exploitat…
Critical Langflow Flaw CVE-2026-33017 Triggers Attacks ...
Langflow CVE-2026-33017 exploited in 20 hours after disclosure, enabling RCE via exec(), exposing systems before patching cycles."Attackers built working exploits directly from the advisory description and began scanning the internet for vulnerable instances. Exfiltrated information included keys an…
CISA Adds One Known Exploited Vulnerability to Catalog
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-33017 Detail - NVD
This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, ...

🔴 CVE-2026-33017

📋 Vulnerability Details

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-03-25)

Sources