CVE-2026-33017: Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
Security readout for executives and security teams
Plain-English summary
Langflow versions before 1.9.0 can let an unauthenticated remote attacker run code through a public flow-building endpoint. This affects systems that expose Langflow, especially internet-facing AI workflow deployments. CISA lists this CVE in KEV, so treat it as actively exploited and urgent.
Executive priority
Immediate action is warranted. This is critical unauthenticated remote code execution in an AI workflow platform with KEV-listed exploitation. Prioritize exposed Langflow systems first, then internal systems.
Technical view
The vulnerable POST /api/v1/build_public_tmp/{flow_id}/flow endpoint accepts an optional data parameter and uses attacker-supplied flow definitions instead of stored database flow data. Those definitions can contain arbitrary Python code that is passed to exec() without sandboxing. The issue is tracked as CWE-306, CWE-94, and CWE-95.
Likely exposure
Highest exposure is Langflow before 1.9.0 reachable by untrusted users or the internet. Internal deployments are still exposed if unauthenticated users can reach public flow build functionality.
Exploitation context
CISA KEV inclusion supports active exploitation. The source bundle also includes third-party reporting describing attacker compromise of Langflow AI pipelines. Do not assume exploitation requires credentials, user interaction, or high complexity.
Researcher notes
The bundle states the fix is 1.9.0 and distinguishes this from CVE-2025-3248. One bundled reference is a 1.8.2 release tag, so validate remediation against the GitHub advisory and current vendor releases.
Mitigation direction
Upgrade Langflow to version 1.9.0 or later per the advisory.
Remove public internet access to vulnerable Langflow instances until upgraded.
Restrict access to trusted networks or authenticated gateways where feasible.
Review vendor guidance for any additional configuration-specific recommendations.
Validation and detection
Inventory all Langflow deployments and record exact versions.
Identify instances below 1.9.0, especially internet-facing services.
Check access logs for POST requests to /api/v1/build_public_tmp/ paths.
Review logs for requests using the optional data parameter.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-306: Credential and account abuse lookup
Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
Exploitation: activeAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.