CVE-2026-33017

Name: CVE-2026-33017
Creator: NVD / NIST
Published: 2026-03-20T05:16:15.55+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.3/10Actively ExploitedEPSS 98.41%

Last modified Jun 17, 2026

CVE-2026-33017 is a critical-severity vulnerability rated 9.3/10 on the CVSS scale. Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. CISA has confirmed active exploitation in the wild. EPSS estimates a 98.41% chance of exploitation in the next 30 days.

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0

9.3/10

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

98.41%

99.9th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by Apr 8, 2026.

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Langflow	Langflow	< 1.8.2

References

https://github.com/advisories/GHSA-rvqx-wpfh-mfx7Third Party Advisory
https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0Patch
https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvxExploit, Mitigation, Vendor Advisory
https://github.com/langflow-ai/langflow/releases/tag/1.8.2Release Notes
https://medium.com/@aviral23/cve-2026-33017-how-i-found-an-unauthenticated-rce-in-langflow-by-reading-the-code-they-already-dc96cdce5896Exploit, Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017US Government Resource
https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hoursPress/Media Coverage

Timeline

Published: Mar 20, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-33017?

How severe is CVE-2026-33017?

CVE-2026-33017 has a CVSS score of 9.3/10 (CRITICAL severity). The EPSS model estimates a 98.41% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

How do I fix CVE-2026-33017?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-33017?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST