CVE-2026-33017 is a critical-severity code injection vulnerability in langflow (pip), affecting versions <= 1.8.2. It is fixed in 1.9.0.
Summary The POST /api/v1/buildpublictmp/{flowid}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The buildpublictmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. Affected Code Vulnerable Endpoint (No Authentication) File: src/backend/base/langflow/api/v1/chat.py, lines 580-657 Compare with the authenticated build endpoint at line 138, which requires currentuser: CurrentActiveUser. Code Execution Chain When attacker-supplied data is provided, it flows through: startflowbuild(data=attackerdata) → generateflowevents() -- build.py:81 creategraph() → buildgraphfromdata(payload=data.modeldump()) -- build.py:298 Graph.frompayload(payload) parses attacker nodes -- base.py:1168 addnodesandedges() → initialize() → buildgraph() -- base.py:270,527 instantiatecomponentsinvertices() iterates nodes -- base.py:1323 vertex.instantiatecomponent() → instantiateclass(vertex) -- loading.py:28 code = customparams.pop("code") extracts attacker code -- loading.py:43 evalcustomcomponentcode(code) → createclass(code, classname) -- eval.py:9 prepareglobalscope(module) -- validate.py:323 exec(compiledcode, execglobals) -- ARBITRARY CODE EXECUTION -- validate.py:397 Unsandboxed exec() in prepareglobalscope File: src/lfx/src/lfx/custom/validate.py, lines 340-397 Critical detail: prepareglobalscope executes ast.Assign nodes. An attacker's code like x = os.system("id") is an assignment and will be executed during graph building -- before the flow even "runs." Prerequisites Target Langflow instance has at least one public flow (common for demos, chatbots, shared workflows) Attacker knows the public flow's UUID (discoverable via shared links/URLs) No authentication required -- only a clientid cookie (any arbitrary string value) When AUTOLOGIN=true (the default), all prerequisites can be met by an unauthenticated attacker: GET /api/v1/autologin → obtain superuser token POST /api/v1/flows/ → create a public flow Exploit via buildpublictmp without any auth Proof of Concept Tested Against Langflow version 1.7.3 (latest stable release, installed via pip install langflow) Fully reproducible: 6/6 runs confirmed RCE (two sets of 3 runs each) Step 1: Obtain a Public Flow ID (In a real attack, the attacker discovers this via shared links. For the PoC, we create one via AUTOLOGIN.) Step 2: Exploit -- Unauthenticated RCE Step 3: Verify Code Execution Actual Test Results Impact Unauthenticated Remote Code Execution with full server process privileges Complete server compromise: arbitrary file read/write, command execution Environment variable exfiltration: API keys, database credentials, cloud tokens (confirmed in PoC: envkeys exfiltrated) Reverse shell access for persistent access Lateral movement within the network Data exfiltration from all flows, messages, and stored credentials in the database Comparison with CVE-2025-3248 | Aspect | CVE-2025-3248 | This Vulnerability | |--------|--------------|-------------------| | Endpoint | /api/v1/validate/code | /api/v1/buildpublictmp/{id}/flow | | Fix applied | Added Depends(getcurrentactiveuser) | None -- NEW vulnerability | | Root cause | Missing auth on code validation | Unauthenticated endpoint accepts attacker-controlled executable code via data param | | Code execution via | validatecode() → exec() | createclass() → prepareglobalscope() → exec() | | CISA KEV | Yes (actively exploited) | N/A (new finding) | | Can simple auth fix? | Yes (and it was fixed) | No -- endpoint is designed to be unauthenticated; the data parameter must be removed | Recommended Fix Immediate (Short-term) Remove the data parameter from buildpublictmp. Public flows should only execute their stored flow data, never attacker-supplied data: In generateflowevents → creategraph(), only the buildgraphfrom_db path should be reachable for unauthenticated requests:
Untrusted input is evaluated as executable code within the application's runtime environment. Typical impact: arbitrary code execution within the application's privilege context.
CVE-2026-33017 has a CVSS score of 9.8 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.9.0). Upgrading removes the vulnerable code path.
pip
langflow (<= 1.8.2)langflow → 1.9.0 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's Application Detection and Response identifies whether CVE-2026-33017 is reachable in your applications. Explore runtime application protection for your team.
See if CVE-2026-33017 is reachable in your applications. Get a demo
Upgrade langflow to 1.9.0 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-33017 is a critical-severity code injection vulnerability in langflow (pip), affecting versions <= 1.8.2. It is fixed in 1.9.0. Untrusted input is evaluated as executable code within the application's runtime environment.
CVE-2026-33017 has a CVSS score of 9.8 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
langflow (pip) versions <= 1.8.2 is affected.
Yes. CVE-2026-33017 is fixed in 1.9.0. Upgrade to this version or later.
Whether CVE-2026-33017 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade langflow to 1.9.0 or later.