CVE-2026-33017: Langflow Code Injection enables

Q: Is CVE-2026-33017 actively exploited?

Yes, CVE-2026-33017 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog since Wed Mar 25 2026 00:00:00 GMT+0000 (Coordinated Universal Time).

Q: How to fix CVE-2026-33017?

1. IMMEDIATE: Upgrade to Langflow 1.9.0 or later — this is the only complete fix. 2. If patching is not immediately possible, block HTTP POST requests to /api/v1/build_public_tmp/ at the WAF or network perimeter. 3. Rotate all credentials accessible by the Langflow process: LLM API keys, database credentials, cloud IAM tokens, and any secrets in environment variables. 4. Hunt for exploitation: search access logs for POST requests to /api/v1/build_public_tmp/ with a non-empty request body — any hit on an unpatched instance should trigger a full IR process. 5. Review Sysdig's published IOC report for known attacker infrastructure and C2 indicators. 6. Disable public flow features entirely if not required by business operations.

Q: What systems are affected by CVE-2026-33017?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, AI workflow builders, LLM orchestration platforms, Model serving infrastructure, RAG pipelines.

Q: What is the CVSS score for CVE-2026-33017?

CVE-2026-33017 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 98.41%.

CISO Take

CVE-2026-33017 is an unauthenticated RCE in Langflow affecting all versions prior to 1.9.0 — patch immediately or take the instance offline. Any internet-facing Langflow deployment running < 1.9.0 should be treated as compromised: initiate IR and audit logs for exploitation attempts. The Sysdig report confirms active exploitation within 20 hours of disclosure, making this a zero-dwell incident.

What is the risk?

CRITICAL. The vulnerability requires no authentication, no user interaction, and trivially achieves remote code execution via Python exec() with zero sandboxing. Langflow is widely deployed for AI agent workflow building, meaning successful exploitation compromises not only the server but all AI pipelines, credentials, and data accessible to the process. The 'public flow' design intent of the vulnerable endpoint makes WAF-level blocking non-trivial without disrupting legitimate functionality, and the 20-hour exploitation window post-disclosure confirms threat actors are actively scanning.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	<= 1.8.2	`1.9.0`
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

98.4%

chance of exploitation in 30 days

Higher than 100% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Actively Exploited

CISA KEV

Sophistication

Advanced

Exploitation Confidence

high

✓ CISA KEV (active exploitation confirmed) — Mar 2026

✓ CISA SSVC: Active exploitation

○ Public PoC indexed (trickest/cve)

○ Nuclei detection template available

○ EPSS exploit prediction: 98%

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

IMMEDIATE

Upgrade to Langflow 1.9.0 or later — this is the only complete fix.
If patching is not immediately possible, block HTTP POST requests to /api/v1/build_public_tmp/ at the WAF or network perimeter.
Rotate all credentials accessible by the Langflow process: LLM API keys, database credentials, cloud IAM tokens, and any secrets in environment variables.
Hunt for exploitation: search access logs for POST requests to /api/v1/build_public_tmp/ with a non-empty request body — any hit on an unpatched instance should trigger a full IR process.
Review Sysdig's published IOC report for known attacker infrastructure and C2 indicators.
Disable public flow features entirely if not required by business operations.

What does CISA's SSVC say?

Decision Act

Exploitation active

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Model Poisoning Code Execution Framework Agent API AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.5 - AI system security and safety measures

NIST AI RMF

MEASURE 2.6 - AI risk measurement and monitoring

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

How many AI incidents are linked? (2)

Langflow CVE-2026-33017 Actively Exploited in the Wild

Mar 2026 Langflow code execution high confidence

CISA confirmed that threat actors are actively exploiting a critical remote code execution vulnerability in the Langflow AI agent framework to compromise and hijack AI workflows.

BleepingComputer

Langflow CVE-2026-33017 exploited in the wild within 20 hours of disclosure

Mar 2026 Langflow code execution high confidence

Threat actors began actively exploiting a critical unauthenticated remote code execution vulnerability in Langflow (CVE-2026-33017, CVSS 9.3) less than 20 hours after it was publicly disclosed.

The Hacker News

AI Threat Alert incident classification, derived from public security reporting. Each item links to its original source.

Frequently Asked Questions

What is CVE-2026-33017?

CVE-2026-33017 is an unauthenticated RCE in Langflow affecting all versions prior to 1.9.0 — patch immediately or take the instance offline. Any internet-facing Langflow deployment running < 1.9.0 should be treated as compromised: initiate IR and audit logs for exploitation attempts. The Sysdig report confirms active exploitation within 20 hours of disclosure, making this a zero-dwell incident.

Is CVE-2026-33017 actively exploited?

Yes, CVE-2026-33017 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog since Wed Mar 25 2026 00:00:00 GMT+0000 (Coordinated Universal Time).

How to fix CVE-2026-33017?

1. IMMEDIATE: Upgrade to Langflow 1.9.0 or later — this is the only complete fix. 2. If patching is not immediately possible, block HTTP POST requests to /api/v1/build_public_tmp/ at the WAF or network perimeter. 3. Rotate all credentials accessible by the Langflow process: LLM API keys, database credentials, cloud IAM tokens, and any secrets in environment variables. 4. Hunt for exploitation: search access logs for POST requests to /api/v1/build_public_tmp/ with a non-empty request body — any hit on an unpatched instance should trigger a full IR process. 5. Review Sysdig's published IOC report for known attacker infrastructure and C2 indicators. 6. Disable public flow features entirely if not required by business operations.

What systems are affected by CVE-2026-33017?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, AI workflow builders, LLM orchestration platforms, Model serving infrastructure, RAG pipelines.

What is the CVSS score for CVE-2026-33017?

CVE-2026-33017 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 98.41%.

What is the AI security impact?

Affected AI Architectures

Agent frameworksAI workflow buildersLLM orchestration platformsModel serving infrastructureRAG pipelines

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0055 Unsecured Credentials

AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.1.5

NIST AI RMF: MEASURE 2.6

OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

Exploitation Scenario

An attacker identifies a public-facing Langflow instance via Shodan or Censys (Langflow exposes recognizable UI fingerprints). They craft a POST request to /api/v1/build_public_tmp/{any_valid_flow_id}/flow with a data payload containing a custom Python node whose code executes a reverse shell via subprocess.Popen — no credentials required. Within seconds they receive a shell on the Langflow server, extract all LLM API keys from environment variables, enumerate connected databases and cloud service configurations, pivot to internal AI infrastructure, and deploy a persistent backdoor. The Sysdig report documents this exact chain occurring in under 20 hours post-CVE disclosure, confirming weaponized exploit availability.

Weaknesses (CWE)

CWE-306 Missing Authentication for Critical Function Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') Primary CWE-306 Missing Authentication for Critical Function CWE-94 Improper Control of Generation of Code ('Code Injection') CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CWE-306 — Missing Authentication for Critical Function: The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

[Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.