CVE-2026-33497 — HIGH (CVSS 7.5) AI Security Vulnerability

Q: Is CVE-2026-33497 actively exploited?

No confirmed active exploitation of CVE-2026-33497 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-33497?

1. PATCH: Upgrade to Langflow 1.7.1 immediately — this is the only complete fix. 2. ROTATE: After patching, regenerate the secret_key and invalidate all existing sessions. 3. NETWORK ISOLATION: Until patched, restrict Langflow to internal networks or VPN; do not expose port 7860 (or any Langflow port) to the internet. 4. REVOKE CREDENTIALS: Audit all API keys stored in Langflow workflows and rotate any that could have been exposed during the vulnerability window. 5. DETECT: Search web server logs for path traversal patterns in requests to /profile_pictures/ (e.g., %2e%2e, ../, .%2f). Presence indicates prior exploitation attempts. 6. AUDIT: Review Langflow access logs for unexpected admin sessions or workflow modifications.

Q: What systems are affected by CVE-2026-33497?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow builders, model serving, RAG pipelines, multi-agent orchestration.

Q: What is the CVSS score for CVE-2026-33497?

CVE-2026-33497 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.03%.

CISO Take

CVE-2026-33497 is an unauthenticated path traversal in Langflow that exposes the application's secret_key — the cryptographic root used to sign sessions and tokens. Any attacker with network access can read it in a single HTTP request, then forge authenticated sessions and take full control of the platform. Patch to 1.7.1 immediately and rotate your secret_key; if you cannot patch today, take the Langflow instance off the network until you do.

Risk Assessment

HIGH. CVSS 7.5 understates operational risk for AI teams. The exploitability bar is trivial: no authentication, no special tooling, one HTTP GET with a path traversal payload. The impact ceiling is a full Langflow takeover — an attacker with a forged admin session inherits every connected LLM API key, database credential, and workflow secret stored in the platform. Langflow instances are frequently internet-exposed and used in production AI pipelines, making this a high-probability, high-impact target.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
langflow	pip	< 1.7.1	`1.7.1`
147.9K Pushed today 32% patched ~53d to patch Full package profile →

Do you use langflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 8% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

Recommended Action

6 steps

PATCH

Upgrade to Langflow 1.7.1 immediately — this is the only complete fix.
ROTATE

After patching, regenerate the secret_key and invalidate all existing sessions.
NETWORK ISOLATION

Until patched, restrict Langflow to internal networks or VPN; do not expose port 7860 (or any Langflow port) to the internet.
REVOKE CREDENTIALS

Audit all API keys stored in Langflow workflows and rotate any that could have been exposed during the vulnerability window.
DETECT

Search web server logs for path traversal patterns in requests to /profile_pictures/ (e.g., %2e%2e, ../, .%2f). Presence indicates prior exploitation attempts.
AUDIT

Review Langflow access logs for unexpected admin sessions or workflow modifications.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Framework Agent AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0083 - Credentials from AI Agent Configuration AML.T0084 - Discover AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.2 - Information security in AI system development A.9.4 - Protection of AI system resources

NIST AI RMF

GOVERN-6.2 - Policies and procedures are in place for AI risk management, including third-party AI MANAGE-2.2 - Treatments, including response and recovery, are identified and prioritized based on risk

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-33497?

CVE-2026-33497 is an unauthenticated path traversal in Langflow that exposes the application's secret_key — the cryptographic root used to sign sessions and tokens. Any attacker with network access can read it in a single HTTP request, then forge authenticated sessions and take full control of the platform. Patch to 1.7.1 immediately and rotate your secret_key; if you cannot patch today, take the Langflow instance off the network until you do.

Is CVE-2026-33497 actively exploited?

No confirmed active exploitation of CVE-2026-33497 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-33497?

1. PATCH: Upgrade to Langflow 1.7.1 immediately — this is the only complete fix. 2. ROTATE: After patching, regenerate the secret_key and invalidate all existing sessions. 3. NETWORK ISOLATION: Until patched, restrict Langflow to internal networks or VPN; do not expose port 7860 (or any Langflow port) to the internet. 4. REVOKE CREDENTIALS: Audit all API keys stored in Langflow workflows and rotate any that could have been exposed during the vulnerability window. 5. DETECT: Search web server logs for path traversal patterns in requests to /profile_pictures/ (e.g., %2e%2e, ../, .%2f). Presence indicates prior exploitation attempts. 6. AUDIT: Review Langflow access logs for unexpected admin sessions or workflow modifications.

What systems are affected by CVE-2026-33497?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM workflow builders, model serving, RAG pipelines, multi-agent orchestration.

What is the CVSS score for CVE-2026-33497?

CVE-2026-33497 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.03%.

Technical Details

NVD Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.1, in the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name} endpoint, the folder_name and file_name parameters are not strictly filtered, which allows the secret_key to be read across directories. Version 1.7.1 contains a patch.

Exploitation Scenario

An unauthenticated external attacker scans for Langflow instances on the internet (banner/version fingerprinting via the UI or API). They send a crafted GET request to /profile_pictures/../../app/secret_key or a similar traversal payload targeting the application's configuration directory. The server returns the secret_key value in the response body. The attacker uses the secret_key to forge a valid JWT session token with admin privileges and authenticates to the Langflow UI. From admin access, they export all workflow definitions (containing hardcoded LLM API keys), implant malicious prompt injections in shared workflow templates, and use Langflow's tool-calling capabilities to exfiltrate data from connected databases — all without ever needing to know a password.