CVE-2026-33017 — CRITICAL (CVSS 9.8) AI Security Vulnerability

Q: Is CVE-2026-33017 actively exploited?

Yes, CVE-2026-33017 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog.

Q: How to fix CVE-2026-33017?

1. IMMEDIATE: Upgrade to Langflow 1.9.0 or later — this is the only complete fix. 2. If patching is not immediately possible, block HTTP POST requests to /api/v1/build_public_tmp/ at the WAF or network perimeter. 3. Rotate all credentials accessible by the Langflow process: LLM API keys, database credentials, cloud IAM tokens, and any secrets in environment variables. 4. Hunt for exploitation: search access logs for POST requests to /api/v1/build_public_tmp/ with a non-empty request body — any hit on an unpatched instance should trigger a full IR process. 5. Review Sysdig's published IOC report for known attacker infrastructure and C2 indicators. 6. Disable public flow features entirely if not required by business operations.

Q: What systems are affected by CVE-2026-33017?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, AI workflow builders, LLM orchestration platforms, Model serving infrastructure, RAG pipelines.

Q: What is the CVSS score for CVE-2026-33017?

CVE-2026-33017 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 41.24%.

CISO Take

CVE-2026-33017 is an unauthenticated RCE in Langflow affecting all versions prior to 1.9.0 — patch immediately or take the instance offline. Any internet-facing Langflow deployment running < 1.9.0 should be treated as compromised: initiate IR and audit logs for exploitation attempts. The Sysdig report confirms active exploitation within 20 hours of disclosure, making this a zero-dwell incident.

Risk Assessment

CRITICAL. The vulnerability requires no authentication, no user interaction, and trivially achieves remote code execution via Python exec() with zero sandboxing. Langflow is widely deployed for AI agent workflow building, meaning successful exploitation compromises not only the server but all AI pipelines, credentials, and data accessible to the process. The 'public flow' design intent of the vulnerable endpoint makes WAF-level blocking non-trivial without disrupting legitimate functionality, and the 20-hour exploitation window post-disclosure confirms threat actors are actively scanning.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	<= 1.8.2	No patch
147.9K Pushed today 32% patched ~53d to patch Full package profile →

Do you use langflow? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

41.2%

chance of exploitation in 30 days

Higher than 97% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Actively Exploited

Sophistication

Advanced

Exploitation Confidence

high

✓ CISA KEV (active exploitation confirmed)

✓ CISA SSVC: Active exploitation

○ Public PoC indexed (trickest/cve)

○ EPSS exploit prediction: 41%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

IMMEDIATE

Upgrade to Langflow 1.9.0 or later — this is the only complete fix.
If patching is not immediately possible, block HTTP POST requests to /api/v1/build_public_tmp/ at the WAF or network perimeter.
Rotate all credentials accessible by the Langflow process: LLM API keys, database credentials, cloud IAM tokens, and any secrets in environment variables.
Hunt for exploitation: search access logs for POST requests to /api/v1/build_public_tmp/ with a non-empty request body — any hit on an unpatched instance should trigger a full IR process.
Review Sysdig's published IOC report for known attacker infrastructure and C2 indicators.
Disable public flow features entirely if not required by business operations.

CISA SSVC Assessment

Decision Act

Exploitation active

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Model Poisoning Code Execution Framework Agent API AML.T0025 - Exfiltration via Cyber Means AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.5 - AI system security and safety measures

NIST AI RMF

MEASURE 2.6 - AI risk measurement and monitoring

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-33017?

CVE-2026-33017 is an unauthenticated RCE in Langflow affecting all versions prior to 1.9.0 — patch immediately or take the instance offline. Any internet-facing Langflow deployment running < 1.9.0 should be treated as compromised: initiate IR and audit logs for exploitation attempts. The Sysdig report confirms active exploitation within 20 hours of disclosure, making this a zero-dwell incident.

Is CVE-2026-33017 actively exploited?

Yes, CVE-2026-33017 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog.

How to fix CVE-2026-33017?

1. IMMEDIATE: Upgrade to Langflow 1.9.0 or later — this is the only complete fix. 2. If patching is not immediately possible, block HTTP POST requests to /api/v1/build_public_tmp/ at the WAF or network perimeter. 3. Rotate all credentials accessible by the Langflow process: LLM API keys, database credentials, cloud IAM tokens, and any secrets in environment variables. 4. Hunt for exploitation: search access logs for POST requests to /api/v1/build_public_tmp/ with a non-empty request body — any hit on an unpatched instance should trigger a full IR process. 5. Review Sysdig's published IOC report for known attacker infrastructure and C2 indicators. 6. Disable public flow features entirely if not required by business operations.

What systems are affected by CVE-2026-33017?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, AI workflow builders, LLM orchestration platforms, Model serving infrastructure, RAG pipelines.

What is the CVSS score for CVE-2026-33017?

CVE-2026-33017 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 41.24%.

Technical Details

NVD Description

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

Exploitation Scenario

An attacker identifies a public-facing Langflow instance via Shodan or Censys (Langflow exposes recognizable UI fingerprints). They craft a POST request to /api/v1/build_public_tmp/{any_valid_flow_id}/flow with a data payload containing a custom Python node whose code executes a reverse shell via subprocess.Popen — no credentials required. Within seconds they receive a shell on the Langflow server, extract all LLM API keys from environment variables, enumerate connected databases and cloud service configurations, pivot to internal AI infrastructure, and deploy a persistent backdoor. The Sysdig report documents this exact chain occurring in under 20 hours post-CVE disclosure, confirming weaponized exploit availability.