Ctrl + K
/ news / CVE
CVEPublished 2026-03-20Modified 2026-05-212 articles on news6 live referencesNVD data

CVE-2026-33017Langflow · Langflow

Vulnerability data via NVD (ingested)

CVSS v3.1
9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS percentile
97
Exploit Prediction Scoring System · top 3% of all CVEs
Weaknesses (CWE)
CWE-94Improper Control of Generation of Code ('Code Injection')CWE-95Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')CWE-306Missing Authentication for Critical Function
Description

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

Timeline
Published 2026-03-20
Modified 2026-05-21

External references

NVDMITREExploit-DBSploitustrickest/cveVulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts
vuln:CVE-2026-33017
Hosts Shodan has explicitly fingerprinted as vulnerable.
Shodan · product
product:"Langflow Langflow"
All exposed Langflow Langflow instances — cross-reference with the CVE's affected-version range.
Shodan · banner/body mention
http.html:"Langflow"
HTTP body or banner mentions "Langflow" — catches deploys Shodan didn't identify as a product.
More intel sources (5)
Shodan report
vuln:CVE-2026-33017
Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2026-33017
Censys host search filtered to this CVE id.
grep.app
CVE-2026-33017
Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2026-33017
GitHub code search for direct mentions.
Google dork
"CVE-2026-33017" exploit -site:nvd.nist.gov
Write-ups and news, NVD excluded.

Known PoCs on GitHub (8)

CVE-2026-330178 repos
nomi-sec/PoC-in-GitHubunknown
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
★ 7,813·updated today
eeeeeeeeee-code/POCunknown
备份的漏洞库,3月开始我们来维护
★ 2,019·updated 2mo ago
Threekiii/CVEunknown
一个 CVE 漏洞预警知识库,无 exp/poc,部分包含修复方案。A knowledge base of CVE security vulnerability, no PoCs/exploits.
★ 167·updated 2w ago
DarkFunct/TK-CVE-RepoPython
TK-CVE-Repo
★ 51·updated 2d ago
webpro255/awesome-ai-agent-attacksunknown
A curated timeline of real AI agent security incidents, breaches, and vulnerabilities (2024-2026). Every entry sourced and dated.
★ 24·updated 1mo ago
zulloper/cve-pocPython
CVE POC repo 자동 수집기
★ 13·updated today
MaxMnMl/langflow-CVE-2026-33017-pocPython
CVE-2026-33017 - An unauthenticated remote code execution in Langflow <= 1.8.1 via Public Flow Build Endpoint
★ 7·updated 2mo ago
holmanholdings/lionguardPython
Cathedral-Grade Security for AI Agents. Attack vectors updated daily. Local-first, zero API cost. MIT licensed.
★ 5·updated 6d ago
Articles on news mentioning CVE-2026-33017