CVE-2026-33017
Modified Modified - Updated After Analysis
Unauthenticated Remote Code Execution in Langflow build_public_tmp Endpoint

Publication date: 2026-03-20

Last updated on: 2026-05-22

Assigner: GitHub, Inc.

Description
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-05-22
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33017
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
langflow langflow to 1.8.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33017 is a critical unauthenticated remote code execution (RCE) vulnerability in Langflow versions up to 1.8.1. It exists in the POST endpoint /api/v1/build_public_tmp/{flow_id}/flow, which allows building public flows without requiring authentication.'}, {'type': 'paragraph', 'content': "The vulnerability arises because this endpoint accepts an optional data parameter containing flow data. Attackers can supply this parameter with arbitrary Python code embedded in node definitions. This code is executed via Python's exec() function without any sandboxing or validation, enabling unauthenticated remote code execution."}, {'type': 'paragraph', 'content': 'The flaw allows attackers to execute arbitrary Python code on the server by sending crafted requests to this endpoint, potentially leading to full system compromise.'}] [2]

Impact Analysis

This vulnerability can have severe impacts including complete server compromise with full process privileges.

  • Arbitrary file read and write operations.
  • Execution of arbitrary commands on the server.
  • Exfiltration of environment variables such as API keys, database credentials, and cloud tokens.
  • Persistent reverse shell access and lateral movement within the network.
  • Data exfiltration from all flows, messages, and stored credentials.

Because the vulnerability requires no authentication and has low attack complexity, it poses a high risk to any Langflow deployment exposing this endpoint.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring HTTP POST requests to the endpoint /api/v1/build_public_tmp/{flow_id}/flow on Langflow instances running versions prior to 1.9.0. Specifically, look for requests that include the optional data parameter containing suspicious or arbitrary Python code embedded in the flow data.'}, {'type': 'paragraph', 'content': 'Detection commands or methods could include:'}, {'type': 'list_item', 'content': 'Using network monitoring tools (e.g., tcpdump, Wireshark) to capture POST requests to the vulnerable endpoint and inspecting the payload for Python code patterns.'}, {'type': 'list_item', 'content': 'Using curl or similar HTTP clients to test the endpoint by sending crafted requests with the data parameter and observing if the server executes the code (only in a safe test environment).'}, {'type': 'list_item', 'content': 'Checking server logs for unexpected execution of Python code or creation of unusual files (e.g., /tmp/rce-proof) that indicate exploitation attempts.'}, {'type': 'list_item', 'content': 'Example curl command to test (in a controlled environment):'}, {'type': 'list_item', 'content': 'curl -X POST "http://<langflow-server>/api/v1/build_public_tmp/<flow_id>/flow" -H "Content-Type: application/json" -d \'{"data": {"nodes": [{"parameters": {"code": "_x = __import__(\'os\').system(\'id\')"}}]}}\''}] [2]

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade Langflow to version 1.9.0 or later, where the vulnerability is fixed by removing the unsafe data parameter from the /api/v1/build_public_tmp/{flow_id}/flow endpoint.
  • If upgrading is not immediately possible, restrict access to the vulnerable endpoint by network controls such as firewall rules or API gateway policies to prevent unauthenticated access.
  • Disable or limit public flows if possible, since the vulnerability requires at least one public flow to be exploitable.
  • Monitor logs and network traffic for suspicious POST requests to the vulnerable endpoint and respond to any detected exploitation attempts.
  • Review and apply the patch that disables the data parameter and enforces loading flow data only from the database, as described in the official fix.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33017. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart