Full Report
A critical security flaw impacting Langflow has come under active exploitation within 20 hours of public disclosure, highlighting the speed at which threat actors weaponize newly published vulnerabilities. The security defect, tracked as CVE-2026-33017 (CVSS score: 9.3), is a case of missing authentication combined with code injection that could result in remote code execution. "The POST /api/v1
Analysis Summary
# Vulnerability: Critical Unauthenticated RCE in Langflow
## CVE Details
- **CVE ID:** CVE-2026-33017
- **CVSS Score:** 9.3 (Critical)
- **CWE:** Missing Authentication (CWE-306) and Code Injection (CWE-94)
## Affected Systems
- **Products:** Langflow (Open-source AI platform)
- **Versions:** All versions prior to and including 1.8.1
- **Configurations:** Systems where "public flows" are enabled or accessible.
## Vulnerability Description
The flaw exists within the `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint. This endpoint was designed without authentication to facilitate public flow accessibility. However, it improperly processes an optional `data` parameter.
When this parameter is provided, the application uses attacker-supplied flow data—which can contain arbitrary Python code—instead of using the verified flow data stored in the server's database. This attacker-controlled code is passed directly to the `exec()` function without sandboxing, leading to Unauthenticated Remote Code Execution (RCE).
## Exploitation
- **Status:** **Exploited in the wild.** Attacks were observed within 20 hours of disclosure.
- **Complexity:** Low (Attackers built exploits directly from the advisory description).
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Access to environment variables, credentials, and sensitive files like `/etc/passwd`).
- **Integrity:** High (Ability to modify files, inject backdoors, and delete data).
- **Availability:** High (Full control over the server process).
## Remediation
### Patches
- **Version 1.9.0.dev8:** Address the flaw by removing the vulnerable `data` parameter from the public endpoint. Users should upgrade to the latest development or stable release immediately.
### Workarounds
- Disable or restrict access to the `/api/v1/build_public_tmp/` endpoint via a reverse proxy or firewall.
- Limit the Langflow server's network exposure to trusted IP addresses only.
## Detection
- **Indicators of Compromise (IoCs):**
- HTTP POST requests to `/api/v1/build_public_tmp/{flow_id}/flow` containing a `data` parameter.
- Presence of custom Python scripts designed to exfiltrate `/etc/passwd`.
- Network traffic to known malicious IP: `173.212.205[.]251:8443`.
- **Detection Methods:**
- Monitor application logs for unusual activity on the `build_public_tmp` endpoint.
- Use runtime security tools to detect unauthorized `exec()` calls or reverse shell activity originating from the Langflow process.
## References
- Langflow Security Advisory: hxxps[://]github[.]com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx
- Sysdig Threat Research: hxxps[://]www[.]sysdig[.]com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours
- Original Reporting: hxxps[://]thehackernews[.]com/2026/03/critical-langflow-flaw-cve-2026-33017.html