External risk intelligence

Langflow allows attackers to run malicious code on your systems without a password.

CVE advisoryKnown Exploit

CVE-2026-33017

Langflow versions before 1.9.0 allow unauthenticated users to run malicious code on your server by exploiting a public workflow building feature. Update immediately to prevent system compromise.

5Halo Surface Signal

Code Injection

Langflow

before 1.8.2

External exposure likelihood

Halo Surface Signal score for CVE-2026-33017

The vulnerability exists within an API endpoint explicitly designed to be unauthenticated and accessible for public flow execution. Given that the application is a web-based platform for deploying AI workflows, this specific functionality is intended to be exposed to the internet as part of its normal operation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Langflow allows an unauthenticated attacker to execute arbitrary Python code on the server. This happens because a specific API endpoint, designed for building public workflows, incorrectly uses attacker-supplied code without proper checks. If you are using a vulnerable version, this could lead to a complete compromise of your system.

  • Remote code execution is possible.
  • Attackers do not need to authenticate.
  • The flaw is in public workflow building.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this by sending a crafted POST request to the `/api/v1/build_public_tmp/{flow_id}/flow` endpoint. This request would contain malicious Python code within the optional `data` parameter, which the vulnerable endpoint executes directly without any sanitization. This allows for unauthenticated remote code execution on the server.

  • No authentication needed.
  • Targets public flow build endpoint.
  • Python code in `data` parameter.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a very clear pathway to unauthenticated remote code execution within Langflow. Attackers are likely to target this because it bypasses authentication and directly leverages code execution on the server. The vulnerability was discovered and publicly disclosed with exploit details, increasing its attractiveness.

  • Exploited in the wild.
  • Public exploit available.
  • Recently discovered and disclosed.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Langflow to version 1.9.0 or later immediately, as this vulnerability allows unauthenticated remote code execution and is actively exploited. If patching is not immediately feasible, isolate affected services from external access to prevent exploitation while developing a remediation plan.

  • Upgrade Langflow to 1.9.0 or later.
  • Isolate services from network access.
  • Monitor for suspicious outbound connections.

Frequently asked questions

What is Langflow and its primary function?

Langflow is a tool designed for building and deploying AI-powered agents and workflows. It enables users to create sophisticated AI processes, particularly those involving natural language processing or automated decision-making, and makes them readily available for use.

What type of vulnerability is CVE-2026-33017?

CVE-2026-33017 represents a critical vulnerability classified under improper neutralization of input during code generation (CWE-94) and code injection (CWE-95). It enables an attacker to execute arbitrary Python code on the server by submitting specially crafted input to an API endpoint.

How can an attacker trigger CVE-2026-33017?

An attacker can exploit this vulnerability by sending a POST request to the `/api/v1/build_public_tmp/{flow_id}/flow` endpoint. This request can contain malicious Python code in the `data` parameter, which the vulnerable endpoint executes directly without sandboxing, leading to unauthenticated remote code execution.

What is the relevance of CVE-2026-33017 according to Halo Surface Signal?

Halo Surface Signal indicates that this vulnerability is 'Very likely' exploitable externally. This is because the flaw resides in an API endpoint intentionally designed to be unauthenticated and accessible for public flow execution, a function that is inherently exposed to the internet.

What is the recommended action for CVE-2026-33017?

The recommended action is to upgrade Langflow to version 1.9.0 or later immediately. If immediate patching is not possible, isolate the affected services from external network access to prevent exploitation while a remediation plan is developed.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified