CVE-2026-33497 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

CVE-2026-33497 is an unauthenticated path traversal in Langflow that exposes the application's secret_key — the cryptographic root used to sign sessions and tokens. Any attacker with network access can read it in a single HTTP request, then forge authenticated sessions and take full control of the platform. Patch to 1.7.1 immediately and rotate your secret_key; if you cannot patch today, take the Langflow instance off the network until you do.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	< 1.7.1	`1.7.1`

Do you use langflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. PATCH: Upgrade to Langflow 1.7.1 immediately — this is the only complete fix. 2. ROTATE: After patching, regenerate the secret_key and invalidate all existing sessions. 3. NETWORK ISOLATION: Until patched, restrict Langflow to internal networks or VPN; do not expose port 7860 (or any Langflow port) to the internet. 4. REVOKE CREDENTIALS: Audit all API keys stored in Langflow workflows and rotate any that could have been exposed during the vulnerability window. 5. DETECT: Search web server logs for path traversal patterns in requests to /profile_pictures/ (e.g., %2e%2e, ../, .%2f). Presence indicates prior exploitation attempts. 6. AUDIT: Review Langflow access logs for unexpected admin sessions or workflow modifications.

Classification

Data Extraction Auth Bypass Framework Agent AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0084 - Discover AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.2 - Information security in AI system development A.9.4 - Protection of AI system resources

NIST AI RMF

GOVERN-6.2 - Policies and procedures are in place for AI risk management, including third-party AI MANAGE-2.2 - Treatments, including response and recovery, are identified and prioritized based on risk

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Insecure Plugin Design

Technical Details

NVD Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name} endpoint, the folder_name and file_name parameters are not strictly filtered, which allows the secret_key to be read across directories. Version 1.7.1 contains a patch.

Exploitation Scenario

An unauthenticated external attacker scans for Langflow instances on the internet (banner/version fingerprinting via the UI or API). They send a crafted GET request to /profile_pictures/../../app/secret_key or a similar traversal payload targeting the application's configuration directory. The server returns the secret_key value in the response body. The attacker uses the secret_key to forge a valid JWT session token with admin privileges and authenticates to the Langflow UI. From admin access, they export all workflow definitions (containing hardcoded LLM API keys), implant malicious prompt injections in shared workflow templates, and use Langflow's tool-calling capabilities to exfiltrate data from connected databases — all without ever needing to know a password.

Weaknesses (CWE)

CWE-22 Primary CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published

March 24, 2026

Last Modified

March 24, 2026

First Seen

March 24, 2026