GHSA-vwmf-pq79-vjvx · Severity: critical · Ecosystem: pip — Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
Conclusion & alert: CVE-2026-33017 is rated Critical Active Threat (96.6/100): CVSS Critical severity, with high exploitation likelihood (EPSS 24.65%, 96th percentile). Core evidence: CISA KEV confirms active exploitation (added 2026-03-25) affecting Langflow / Langflow. a weakness (CWE-306) Unauthenticated remote administrative access may be possible. Mandatory action: The CISA remediation deadline has passed—treat as an emergency patch priority.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
: Langflow Code Injection Vulnerability · CISA KEV detail
: 2026-03-25
: 2026-04-08
: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ | |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-05 | 23.98% | 24.65% | +0.67% |
| 2 | 2026-05-27 | 23.24% | 23.98% | +0.74% |
| 3 | 2026-05-22 | — | 23.24% | — |
Full EPSS history (16 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.3 | 4.0 | CRITICAL |
|
— | — | [email protected] |
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | [email protected] |
GHSA-vwmf-pq79-vjvx · Severity: critical · Ecosystem: pip — Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
| URL | Tags |
|---|---|
| https://github.com/advisories/GHSA-rvqx-wpfh-mfx7 | Third Party Advisory |
| https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0 | Patch |
| https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx | Exploit Mitigation Vendor Advisory |
| https://github.com/langflow-ai/langflow/releases/tag/1.8.2 | Release Notes |
| https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896 | Exploit Third Party Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017 | US Government Resource |
| https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours | Press/Media Coverage |