Critical Langflow RCE Vulnerability CVE-2026-33017 Exploited Within Hours
Take action: If you're running Langflow, this is urgent. Update immediately to version 1.9.0.dev8 or later to patch CVE-2026-33017, and disable the AUTO_LOGIN=true default setting. Until you can update, restrict network access to the vulnerable endpoint, place Langflow behind a reverse proxy with authentication. Regardless if you patch or isolate, make sure to rotate all API keys and credentials the platform uses after isolating.
Learn More
Langflow, an open-source AI orchestration framework, is currently under attack following the disclosure of a critical remote code execution vulnerability.
The flaw is tracked as CVE-2026-33017 (CVSS score 9.3) - An unauthenticated code injection vulnerability in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint. The endpoint accepts an optional data parameter that can contain attacker-defined flow structures, which are then processed by the exec() function without any sandbox restrictions.
Attackers can send a single HTTP request with a malicious JSON payload to execute arbitrary Python commands with the privileges of the Langflow server process.the flaw allows unauthenticated attackers to run arbitrary Python code on host servers.
Security researchers observed active exploitation within 20 hours of the vulnerability being made public on March 17, 2026.
Attackers are using automated scanning tools like Nuclei and custom Python scripts to find and exploit vulnerable Langflow instances. These actors typically start by running the id command to verify access before moving to deeper reconnaissance. They use the os.popen() function to execute shell commands and send the output to external callback servers.
A successful breach allows attackers to take full control of the AI infrastructure, harvest API keys and secrets that are in the memory of the Langflow instance, and potentially compromise the software supply chain. Since Langflow often connects to sensitive data sources and cloud providers, this RCE provides a path for lateral movement into the wider corporate network.
The vulnerability affects all versions of Langflow up to and including 1.8.1. Systems with the default AUTO_LOGIN=true setting are especially vulnerable because attackers can easily create the public flows needed to trigger the exploit.
Organizations must update Langflow to version 1.9.0.dev8 or apply the fixes from PR #12160 immediately. If you cannot update, restrict network access to the /api/v1/build_public_tmp endpoint or disable public flow building entirely.
Security teams should rotate all API keys and database passwords used by the platform and check for outbound connections to unusual callback services. Placing Langflow behind a reverse proxy with mandatory authentication will help block unauthenticated exploitation attempts.
