Critical Langflow Vulnerability CVE-2026-33017 Exploited Within 20 Hours of Disclosure
A critical security vulnerability in Langflow, identified as CVE-2026-33017 with a CVSS score of 9.3, has been actively exploited within 20 hours of its public disclosure. This rapid exploitation underscores the urgency for organizations to promptly address newly disclosed vulnerabilities.
Vulnerability Details
CVE-2026-33017 is a missing authentication flaw combined with code injection, leading to potential remote code execution. The issue resides in the `/api/v1/build_public_tmp/{flow_id}/flow` endpoint, which allows the creation of public flows without authentication. When an attacker supplies the optional `data` parameter, the endpoint processes attacker-controlled flow data containing arbitrary Python code. This code is executed via Python’s `exec()` function without sandboxing, resulting in unauthenticated remote code execution.
The vulnerability affects all versions of Langflow up to and including 1.8.1. A fix has been implemented in the development version 1.9.0.dev8.
Discovery and Reporting
Security researcher Aviral Srivastava discovered and reported the flaw on February 26, 2026. He noted that this vulnerability is distinct from CVE-2025-3248, another critical bug in Langflow that exploited the `/api/v1/validate/code` endpoint to execute arbitrary Python code without authentication. CVE-2025-3248 has also been actively exploited, as reported by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Srivastava explained that the root cause of CVE-2026-33017 is the use of the same `exec()` call as in CVE-2025-3248. The `/api/v1/build_public_tmp/{flow_id}/flow` endpoint is designed to be unauthenticated to serve public flows. Adding authentication would disrupt the public flows feature. The recommended fix is to remove the `data` parameter from the public endpoint entirely, ensuring that public flows can only execute their stored server-side flow data and never accept attacker-supplied definitions.
Exploitation and Impact
Successful exploitation allows an attacker to send a single HTTP request and achieve arbitrary code execution with the full privileges of the server process. This access enables the attacker to read environment variables, access or modify files to inject backdoors or erase sensitive data, and even obtain a reverse shell.
Srivastava emphasized that exploiting CVE-2026-33017 is extremely easy and can be triggered using a weaponized `curl` command. A single HTTP POST request with malicious Python code in the JSON payload is sufficient to achieve immediate remote code execution.
Observed Attacks
Cloud security firm Sysdig observed the first exploitation attempts targeting CVE-2026-33017 in the wild within 20 hours of the advisory’s publication on March 17, 2026. Notably, no public proof-of-concept (PoC) code existed at the time. Attackers developed working exploits directly from the advisory description and began scanning the internet for vulnerable instances. Exfiltrated information included keys and credentials, providing access to connected databases and potential software supply chain compromise.
Threat actors have also been observed moving from automated scanning to leveraging custom Python scripts to extract data from `/etc/passwd` and deliver an unspecified next-stage payload hosted on `173.212.205[.]251:8443`. Subsequent activity from the same IP address indicates a thorough credential harvesting operation involving the collection of environment variables and other sensitive information.
Recommendations
Organizations using Langflow should take immediate action to mitigate the risk associated with CVE-2026-33017:
1. Update Langflow: Upgrade to the latest development version 1.9.0.dev8, which addresses the vulnerability.
2. Restrict Access: Implement network controls to limit access to Langflow instances, reducing exposure to potential attackers.
3. Monitor Systems: Continuously monitor systems for signs of exploitation, such as unexpected processes or unauthorized access attempts.
4. Review Logs: Examine server logs for any unusual activity, particularly around the `/api/v1/build_public_tmp/{flow_id}/flow` endpoint.
5. Implement Web Application Firewalls (WAFs): Deploy WAFs to detect and block malicious requests targeting known vulnerabilities.
Conclusion
The rapid exploitation of CVE-2026-33017 highlights the critical importance of promptly addressing security vulnerabilities upon disclosure. Organizations must remain vigilant, apply patches swiftly, and implement robust security measures to protect against emerging threats.
