← Back to CVE List
Vulnerability Analysis
Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint

CVE-2026-33017

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

CISA KEV Nuclei Template
CVSS Base Score
9.3
CRITICAL
Exploitability:-
Impact Score:-
Temporal Score:-
EPSS:98.41%

Threat Intelligence Signals

CISA KEV
YES
KEV Date Added
2026-03-25
Ransomware Use
Unknown
KEV Due Date
2026-04-08
VulnCheck In-the-Wild
No
Nuclei Template
YES
EPSS Score
98.412%
EPSS Percentile
99.9th pct
GitHub Severity
CRITICAL

Identity & Timeline

Status-
Assigning Authority-
CVSS Version / Source-
Reserved-
Published-
Patch Date (date_public)-
Exploit DB Date-
First GitHub PoC Date-
Last Updated-
Time to Patch (Days to fix)-
Exploit Release Gap-
PoC Release Gap-
Exploit DB ReferencesNone identified

Affected Products & Versions

Vendor Product Affected Versions
No affected products specified.

References

No reference links found.

LINK COPIED TO CLIPBOARD