Langflow Code Injection Vulnerability CVE-2026-33017
Summary
CISA has added a critical code injection vulnerability (CVE-2026-33017) in Langflow versions prior to 1.9.0 to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability allows unauthenticated remote code execution due to improper handling of attacker-controlled Python code in public flow definitions.
What changed
CISA has added CVE-2026-33017, a critical vulnerability in Langflow versions prior to 1.9.0, to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, identified as CWE-94 (Code Injection) and CWE-306 (Missing Authentication for Critical Function), allows unauthenticated remote code execution by exploiting the build_public_tmp endpoint. This endpoint incorrectly processes attacker-supplied flow data containing arbitrary Python code via exec() without sandboxing, posing a significant security risk.
Organizations utilizing Langflow must ensure they have updated to version 1.9.0 or later to mitigate this vulnerability. Failure to patch could expose systems to active exploitation, leading to potential data breaches or system compromise. This inclusion in the KEV catalog signifies that active exploitation is known, necessitating immediate attention and remediation efforts by IT security teams.
What to do next
- Update Langflow to version 1.9.0 or later.
- Review systems for any instances of Langflow prior to version 1.9.0.
- Implement enhanced monitoring for suspicious activity related to the Langflow API.
Source document (simplified)
Required CVE Record Information
CNA: GitHub (maintainer security advisories)
Description
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/buildpublictmp/{flowid}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The buildpublic_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
CWE 3 Total
Learn more
- CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')
- CWE-95: CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
- CWE-306: CWE-306: Missing Authentication for Critical Function
CVSS 1 Total
Learn more
| Score | Severity | Version | Vector String |
| --- | --- | --- | --- |
| 9.3 | CRITICAL | 4.0 | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L |
Product Status
Learn more Versions 1 Total
Default Status: unknown
affected
- affected at < 1.9.0
References 3 Total
- github.com: https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx
- github.com: https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0
- github.com: https://github.com/advisories/GHSA-rvqx-wpfh-mfx7
Authorized Data Publishers
CISA-ADP
Updated:
2026-03-26
SSVC and KEV, plus CVSS and CWE if not provided by the CNA.
SSVC 1 Total
Learn more
| Exploitation | Automatable | Technical Impact | Version | Date Accessed |
| --- | --- | --- | --- | --- |
| active | yes | total | 2.0.3 | 2026-03-19 |
KEV 1 Total
Learn more
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017 (2026-03-25)
Related changes
Source
Classification
Who this affects
Taxonomy
Browse Categories
Get Data Privacy & Cybersecurity alerts
Weekly digest. AI-summarized, no noise.
Free. Unsubscribe anytime.
Get alerts for this source
We'll email you when CISA Known Exploited Vulnerabilities (KEV) publishes new changes.