Critical unauthenticated remote code execution vulnerability in Langflow AI platform via public flow build endpoint. Attackers can execute arbitrary Python code without authentication, leading to complete system compromise.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2026-03-20
Added to CISA KEV: 2026-03-25 5 DAYS BETWEEN CVE AND KEV
CVE-2026-33017: LangFlow vulnerability analysis and mitigation. Summary.An attacker's code like _x = os.system("id") is an assignment and will be executed during graph building -- before the flow even "runs." Prerequisites. Target Langflow instance has at least one public flow (common for demos, chatbots, shared workflows). Attacker knows the public flow's UUID (discoverable via shared links/URLs).
CVE-2026-33017 is a critical unauthenticated remote code execution (RCE) vulnerability affecting Langflow, the popular open-source visual framework for building AI agents and Retrieval-Augmented Generation (RAG) pipelines. The impact of CVE-2026-33017 is severe and far-reaching. Successful exploitation grants an attacker full server process privileges, enabling arbitrary command execution and ...
Langflow CVE-2026-33017 exploited in 20 hours after disclosure, enabling RCE via exec(), exposing systems before patching cycles."Attackers built working exploits directly from the advisory description and began scanning the internet for vulnerable instances. Exfiltrated information included keys and credentials, which provided access to connected databases and potential software supply chain compromise."
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, ...