CISA Added Langflow Vulnerability to its Known Exploited Vulnerabilities Catalog (CVE-2026-33017)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-33017 to its Known Exploited Vulnerabilities Catalog due to active exploitation. This critical vulnerability affects Langflow, an open-source AI application platform, allowing unauthenticated remote attackers to execute arbitrary code on target systems. The flaw exists in the build_public_tmp endpoint, where attacker-controlled flow data is passed to an unsandboxed exec function. Qualys assigned a Vulnerability Score of 95, highlighting the severe risk involved. Affected versions include Langflow up to 1.8.1. Successful exploitation requires a public flow UUID but no authentication, especially when AUTO_LOGIN is enabled. Organizations using Langflow must immediately upgrade to version 1.9.0 or later to mitigate this risk. Qualys customers can detect vulnerable assets using specific QIDs. Immediate patching is urged before the April 8, 2025 deadline to prevent system compromise and unauthorized AI workflow manipulation.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently acknowledged the active exploitation of the Langflow vulnerability. Tracked as CVE-2026-33017, the vulnerability may allow an unauthenticated remote attacker to execute arbitrary code on the target system. CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog, urging users to patch it before April 8, 2025. Langflow is an open-source, … Continue reading "CISA Added Langflow Vulnerability to its Known Exploited Vulnerabilities Catalog (CVE-2026-33017)"

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-33017 to its Known Exploited Vulnerabilities Catalog due to active exploitation. This critical vulnerability affects Langflow, an open-source AI application platform, allowing unauthenticated remote attackers to execute arbitrary code on target systems. The flaw exists in the build_public_tmp endpoint, where attacker-controlled flow data is passed to an unsandboxed exec function. Qualys assigned a Vulnerability Score of 95, highlighting the severe risk involved. Affected versions include Langflow up to 1.8.1. Successful exploitation requires a public flow UUID but no authentication, especially when AUTO_LOGIN is enabled. Organizations using Langflow must immediately upgrade to version 1.9.0 or later to mitigate this risk. Qualys customers can detect vulnerable assets using specific QIDs. Immediate patching is urged before the April 8, 2025 deadline to prevent system compromise and unauthorized AI workflow manipulation. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently acknowledged the active exploitation of the Langflow vulnerability. Tracked as CVE-2026-33017, the vulnerability may allow an unauthenticated remote attacker to execute arbitrary code on the target system. CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog, urging users to patch it before April 8, 2025. Langflow is an open-source, … Continue reading "CISA Added Langflow Vulnerability to its Known Exploited Vulnerabilities Catalog (CVE-2026-33017)" The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently acknowledged the active exploitation of the Langflow vulnerability. Tracked as CVE-2026-33017, the vulnerability may allow an unauthenticated remote attacker to execute arbitrary code on the target system. CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog , urging users to patch it before April 8, 2025. Langflow is an open-source, low-code platform that uses a visual, drag-and-drop interface to build, prototype, and deploy AI applications and workflows. It enables users to connect components like large language models (LLMs), vector databases, APIs, and custom logic into functional AI systems without extensive coding. Vulnerability Details The vulnerability exists in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint. The endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data instead of the stored flow data from the database. This code supplied by the attacker is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. Qualys Threat Intelligence assigned a Qualys Vulnerability Score (QVS) of 95 to CVE-2026-33017. Qualys Vulnerability Score (QVS) is a Qualys-assigned score for a vulnerability based on multiple factors associated with the CVE, such as CVSS scores and external threat indicators like active exploitation, exploit code maturity, CISA known exploits, and more. Prerequisites The target Langflow instance must contain at least one public flow (common for demos, chatbots, and shared workflows). The attacker must know the public flow’s UUID (discoverable via shared links/URLs). No authentication required — only a client_id cookie (any arbitrary string value). When AUTO_LOGIN=true (the default), all prerequisites can be met by an unauthenticated attacker: GET /api/v1/auto_login → obtain superuser token. POST /api/v1/flows/ → create a public flow. Exploit via build_public_tmp without any auth. Affected Versions The vulnerability affects Langflow versions upto 1.8.1 . Mitigation Users must upgrade to Langflow version 1.9.0 or later to patch the vulnerability. For more information, please refer to the Langflow Security Advisory . Qualys Detection Qualys customers can scan their devices with QIDs 733892 and 531044 to detect vulnerable assets. Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities. References https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx