Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
CVE-2026-33017
Score elevated to 9.8 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2026-03-25), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 9.8 retained for reference. Confidence: HIGH.
- Actively exploited in the wild (CISA-KEV)
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 9.8
- EG Score
- 9.8(high)
- EPSS
- 99.9%
- KEV
- ⚠ Exploited
Published
March 20, 2026
Last Modified
May 22, 2026
Advisory Details (6)
Auto-updated Jun 20, 2026CVE-2026-33017: How attackers compromised Langflow AI pipelines in 20 hours | Sysdig
https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hoursKnown Exploited Vulnerabilities Catalog | CISA
Known Exploited Vulnerabilities Catalog | CISA. Listed in CISA Known Exploited Vulnerabilities catalog.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint · Advisory · langflow-ai/langflow · GitHub
https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvxcommit 73b6612e3ef2 (langflow-ai/langflow)
Fix landed in langflow-ai/langflow commit 73b6612e3ef2 — awaiting tagged release
https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0Langflow Unauth RCE · CVE-2025-3248 · GitHub Advisory Database · GitHub
https://github.com/advisories/GHSA-rvqx-wpfh-mfx7Release 1.8.2 · langflow-ai/langflow · GitHub
https://github.com/langflow-ai/langflow/releases/tag/1.8.2Vendor Advisories for CVE-2026-33017(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Patch Availability(1)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| pip | langflow | — | ghsa |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(1 across 1 ecosystem)
PyPI(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| langflow | 0.0.31 ... 1.8.4 (293 versions) | 1.9.0 | — |
Weakness Classification(3)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Data Freshness Timeline
(refreshed 54× in last 7d / 220× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 433 total refreshes for this CVE.
- 2026-07-16 22:15 UTCEG score recompute
- 2026-07-16 18:35 UTCEG score recompute
- 2026-07-16 17:04 UTCCISA KEV update
- 2026-07-16 14:54 UTCEG score recompute
- 2026-07-16 11:14 UTCEG score recompute
- 2026-07-16 07:34 UTCEG score recompute
- 2026-07-16 03:54 UTCEG score recompute
- 2026-07-16 00:14 UTCEG score recompute
- 2026-07-15 20:34 UTCEG score recompute
- 2026-07-15 16:57 UTCEPSS rescore
- 2026-07-15 16:57 UTCEPSS rescore
- 2026-07-15 16:54 UTCEG score recompute
- 2026-07-15 16:49 UTCCISA KEV update
- 2026-07-15 15:04 UTCCISA KEV update
- 2026-07-15 13:12 UTCEG score recompute
- 2026-07-15 09:32 UTCEG score recompute
- 2026-07-15 05:50 UTCEG score recompute
- 2026-07-15 02:09 UTCEG score recompute
- 2026-07-14 22:29 UTCEG score recompute
- 2026-07-14 18:48 UTCEG score recompute
- 2026-07-14 18:05 UTCCISA KEV update
- 2026-07-14 15:08 UTCEG score recompute
- 2026-07-14 11:27 UTCEG score recompute
- 2026-07-14 07:46 UTCEG score recompute
- 2026-07-14 04:05 UTCEG score recompute
Show 75 moreShow fewer
- 2026-07-14 00:23 UTCEG score recompute
- 2026-07-13 20:43 UTCEG score recompute
- 2026-07-13 17:07 UTCCISA KEV update
- 2026-07-13 17:01 UTCEG score recompute
- 2026-07-13 13:21 UTCEG score recompute
- 2026-07-13 09:41 UTCEG score recompute
- 2026-07-13 06:00 UTCEG score recompute
- 2026-07-13 02:20 UTCEG score recompute
- 2026-07-12 22:40 UTCEG score recompute
- 2026-07-12 18:59 UTCEG score recompute
- 2026-07-12 15:18 UTCEG score recompute
- 2026-07-12 11:37 UTCEG score recompute
- 2026-07-12 07:57 UTCEG score recompute
- 2026-07-12 04:16 UTCEG score recompute
- 2026-07-12 00:36 UTCEG score recompute
- 2026-07-11 20:55 UTCEG score recompute
- 2026-07-11 17:14 UTCEG score recompute
- 2026-07-11 13:34 UTCEG score recompute
- 2026-07-11 09:52 UTCEG score recompute
- 2026-07-11 06:11 UTCEG score recompute
- 2026-07-11 02:30 UTCEG score recompute
- 2026-07-10 22:50 UTCEG score recompute
- 2026-07-10 19:10 UTCEG score recompute
- 2026-07-10 17:52 UTCCISA KEV update
- 2026-07-10 15:30 UTCEG score recompute
- 2026-07-10 11:49 UTCEG score recompute
- 2026-07-10 08:08 UTCEG score recompute
- 2026-07-10 04:28 UTCEG score recompute
- 2026-07-10 00:47 UTCEG score recompute
- 2026-07-09 21:05 UTCEG score recompute
- 2026-07-09 19:10 UTCEPSS rescore
- 2026-07-09 17:24 UTCEG score recompute
- 2026-07-09 13:43 UTCEG score recompute
- 2026-07-09 10:02 UTCEG score recompute
- 2026-07-09 06:22 UTCEG score recompute
- 2026-07-09 02:42 UTCEG score recompute
- 2026-07-08 23:01 UTCEG score recompute
- 2026-07-08 19:21 UTCEG score recompute
- 2026-07-08 15:41 UTCEG score recompute
- 2026-07-08 12:01 UTCEG score recompute
- 2026-07-08 08:20 UTCEG score recompute
- 2026-07-08 04:40 UTCEG score recompute
- 2026-07-08 00:58 UTCEG score recompute
- 2026-07-07 21:18 UTCEG score recompute
- 2026-07-07 19:01 UTCCISA KEV update
- 2026-07-07 17:37 UTCEG score recompute
- 2026-07-07 17:16 UTCCISA KEV update
- 2026-07-07 13:56 UTCEG score recompute
- 2026-07-07 10:16 UTCEG score recompute
- 2026-07-07 06:36 UTCEG score recompute
- 2026-07-07 02:54 UTCEG score recompute
- 2026-07-06 23:14 UTCEG score recompute
- 2026-07-06 19:33 UTCEG score recompute
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 16:27 UTCEPSS rescore
- 2026-07-06 15:51 UTCEG score recompute
- 2026-07-06 12:11 UTCEG score recompute
- 2026-07-06 08:29 UTCEG score recompute
- 2026-07-06 04:49 UTCEG score recompute
- 2026-07-06 01:08 UTCEG score recompute
- 2026-07-05 21:28 UTCEG score recompute
- 2026-07-05 17:47 UTCEG score recompute
- 2026-07-05 14:06 UTCEG score recompute
- 2026-07-05 10:25 UTCEG score recompute
- 2026-07-05 06:44 UTCEG score recompute
- 2026-07-05 03:04 UTCEG score recompute
- 2026-07-04 23:24 UTCEG score recompute
- 2026-07-04 19:43 UTCEG score recompute
- 2026-07-04 16:03 UTCEG score recompute
- 2026-07-04 12:22 UTCEG score recompute
- 2026-07-04 08:42 UTCEG score recompute
- 2026-07-04 05:01 UTCEG score recompute
- 2026-07-04 01:21 UTCEG score recompute
- 2026-07-03 21:41 UTCEG score recompute
- 2026-07-03 18:01 UTCEG score recompute
Publicly available exploits
(3 references)Working exploit code is in the public domain (1 GitHub PoC) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- Exploit-DBEDB-52627First seen Jul 8, 2026
Langflow 1.9.0 - RCE
Open source ↗ - GitHub PoCc0gnit00/CVE-2026-33017First seen Jul 2, 2026
Python POC, Exploit for CVE-2026-33017
Open source ↗ - Nucleihttp/cves/2026/CVE-2026-33017.yamlFirst seen Jan 1, 2026
Langflow < 1.9.0 - Remote Code Execution
Open source ↗
Related CVEs(same product + same CWE)
Same product
7 shownpip:langflow
Same CWE
10 shownCWE-306 · CWE-94
Frequently asked(6)
What is CVE-2026-33017?
When was CVE-2026-33017 disclosed?
Is CVE-2026-33017 actively exploited?
What is the CVSS score of CVE-2026-33017?
Which products are affected by CVE-2026-33017?
How do I remediate CVE-2026-33017?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-33017
Is Your Infrastructure Affected by CVE-2026-33017?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.