CVE-2026-33017
Unauthenticated Remote Code Execution in Langflow build_public_tmp Endpoint
Publication date: 2026-03-20
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langflow | langflow | to 1.8.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-95 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval"). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33017 is a critical unauthenticated remote code execution (RCE) vulnerability in Langflow versions up to 1.8.1. It exists in the POST endpoint /api/v1/build_public_tmp/{flow_id}/flow, which allows building public flows without requiring authentication.'}, {'type': 'paragraph', 'content': "The vulnerability arises because this endpoint accepts an optional data parameter containing flow data. Attackers can supply this parameter with arbitrary Python code embedded in node definitions. This code is executed via Python's exec() function without any sandboxing or validation, enabling unauthenticated remote code execution."}, {'type': 'paragraph', 'content': 'The flaw allows attackers to execute arbitrary Python code on the server by sending crafted requests to this endpoint, potentially leading to full system compromise.'}] [2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including complete server compromise with full process privileges.
- Arbitrary file read and write operations.
- Execution of arbitrary commands on the server.
- Exfiltration of environment variables such as API keys, database credentials, and cloud tokens.
- Persistent reverse shell access and lateral movement within the network.
- Data exfiltration from all flows, messages, and stored credentials.
Because the vulnerability requires no authentication and has low attack complexity, it poses a high risk to any Langflow deployment exposing this endpoint.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP POST requests to the endpoint /api/v1/build_public_tmp/{flow_id}/flow on Langflow instances running versions prior to 1.9.0. Specifically, look for requests that include the optional data parameter containing suspicious or arbitrary Python code embedded in the flow data.'}, {'type': 'paragraph', 'content': 'Detection commands or methods could include:'}, {'type': 'list_item', 'content': 'Using network monitoring tools (e.g., tcpdump, Wireshark) to capture POST requests to the vulnerable endpoint and inspecting the payload for Python code patterns.'}, {'type': 'list_item', 'content': 'Using curl or similar HTTP clients to test the endpoint by sending crafted requests with the data parameter and observing if the server executes the code (only in a safe test environment).'}, {'type': 'list_item', 'content': 'Checking server logs for unexpected execution of Python code or creation of unusual files (e.g., /tmp/rce-proof) that indicate exploitation attempts.'}, {'type': 'list_item', 'content': 'Example curl command to test (in a controlled environment):'}, {'type': 'list_item', 'content': 'curl -X POST "http://<langflow-server>/api/v1/build_public_tmp/<flow_id>/flow" -H "Content-Type: application/json" -d \'{"data": {"nodes": [{"parameters": {"code": "_x = __import__(\'os\').system(\'id\')"}}]}}\''}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade Langflow to version 1.9.0 or later, where the vulnerability is fixed by removing the unsafe data parameter from the /api/v1/build_public_tmp/{flow_id}/flow endpoint.
- If upgrading is not immediately possible, restrict access to the vulnerable endpoint by network controls such as firewall rules or API gateway policies to prevent unauthenticated access.
- Disable or limit public flows if possible, since the vulnerability requires at least one public flow to be exploitable.
- Monitor logs and network traffic for suspicious POST requests to the vulnerable endpoint and respond to any detected exploitation attempts.
- Review and apply the patch that disables the data parameter and enforces loading flow data only from the database, as described in the official fix.