Overview: CVE-2026-33017 — Critical Unauthenticated RCE in Langflow

A critical remote code execution (RCE) vulnerability, tracked as CVE-2026-33017, has been disclosed affecting Langflow versions 1.8.13 and earlier. Assigned a CVSS score of 9.3 (Critical), the flaw allows an unauthenticated attacker to execute arbitrary Python code on the host server by abusing an unprotected API endpoint. A public proof-of-concept (PoC) exploit is already available, making this a high-priority patching emergency for any organization running Langflow in production. The vulnerability was disclosed on March 18, 2026, and has been addressed in Langflow version 1.8.1.

What Is Langflow?

Langflow is a popular open-source, low-code platform for building and deploying LLM-powered applications and AI agent workflows. It is widely used by developers and organizations to visually compose complex AI pipelines. Its API-driven architecture, while flexible, introduces significant attack surface — as this vulnerability demonstrates. Because Langflow instances are frequently exposed to internal networks or the public internet, a critical RCE flaw in its API carries outsized risk.

Technical Root Cause: Unsafe exec() with Attacker-Controlled Input

The vulnerability originates in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, which was designed to allow public flows to be built without authentication. The flaw is twofold:

  • Missing authentication: The endpoint accepts requests from any unauthenticated caller.
  • Unvalidated attacker input passed to exec(): The endpoint accepts an optional data parameter. Instead of exclusively using the flow definition stored in the database, the server uses the attacker-supplied data value directly when it is present.

The attacker-controlled flow data — containing malicious Python code embedded in node template definitions — is passed through Langflow's graph building pipeline. It ultimately reaches the prepare_global_scope() function, where it is compiled and executed via Python's exec() with no sandboxing whatsoever.

The vulnerable code pattern in src/lfx/src/lfx/custom/validate.py:
exec(compiled_code, exec_globals) — executed against attacker-supplied AST nodes with no isolation.

Because exec() processes all top-level AST nodes — including Assign nodes — code such as _x = os.system("id") runs immediately during graph construction, before any further validation could theoretically occur. The result is full, unsandboxed code execution under the privileges of the Langflow server process.

Prerequisites and Attack Conditions

Successful exploitation requires the following conditions, both of which are trivially satisfied on default Langflow deployments:

  • A valid public Flow ID: At least one public flow must exist on the target instance.
  • AUTO_LOGIN=true (default): Langflow ships with AUTO_LOGIN=true enabled by default. This allows any unauthenticated actor to obtain a superuser token from /api/v1/auto_login and subsequently create a public flow — generating a valid Flow ID without any credentials.

This means that on a freshly installed, default-configured Langflow instance reachable over a network, an attacker requires zero credentials to achieve full RCE.

How the Exploit Works: Step-by-Step

The exploit follows a straightforward three-stage process:

  • Step 1 — Obtain a superuser token: Send a GET request to /api/v1/auto_login to retrieve an access token. No credentials are required when AUTO_LOGIN=true.
  • Step 2 — Create a public flow: Use the token to POST a new flow with "access_type": "PUBLIC" to /api/v1/flows/, capturing the returned Flow ID.
  • Step 3 — Trigger RCE: Submit a crafted JSON payload to the unauthenticated /api/v1/build_public_tmp/{flow_id}/flow endpoint. The payload embeds a malicious Python command inside the code value of a node template definition within the data parameter.

The malicious code value — for example, import os; os.system("touch /tmp/pwned") — executes immediately on the server during graph building. The attacker can substitute any arbitrary system command, including downloading and executing reverse shells, installing persistence mechanisms, or exfiltrating sensitive data.

Distinction from CVE-2025-3248

It is important to note that CVE-2026-33017 is distinct from the previously patched CVE-2025-3248, which targeted the /api/v1/validate/code endpoint. Organizations that patched CVE-2025-3248 are not protected against this new vulnerability. The attack surface has shifted to a different endpoint with a different code path, reinforcing the need for version-level upgrades rather than reliance on prior patches alone.

Impact: What an Attacker Can Achieve

Successful exploitation of CVE-2026-33017 grants an attacker code execution with the full privileges of the Langflow server process. Potential consequences include:

  • Complete server compromise and persistent backdoor installation
  • Theft of sensitive data, API keys, and credentials stored on the host or accessible from it
  • Lateral movement into connected internal network segments
  • Deployment of cryptocurrency miners or ransomware
  • Abuse of the compromised host as a pivot point for further attacks

Given the public availability of a working PoC exploit and the zero-credential exploitation path on default configurations, active exploitation in the wild should be considered likely and imminent.

Remediation and Mitigations

The following actions should be taken immediately by any organization running Langflow:

  • Upgrade immediately: Update Langflow to version 1.8.1 or later. The patch removes the attacker-controllable data parameter from the build_public_tmp function in chat.py, eliminating the injection vector.
  • Disable AUTO_LOGIN: Set AUTO_LOGIN=false in all production environments. This removes the zero-credential precondition required for exploitation.
  • Network-level restriction: Block or restrict access to the /api/v1/build_public_tmp/ endpoint at the firewall or reverse proxy layer, particularly from untrusted networks.
  • Audit public flows: Review existing Langflow instances for unexpected public flows, which could indicate prior reconnaissance or exploitation attempts.
  • Monitor for indicators: Review server logs for unusual requests to the build_public_tmp endpoint and watch for anomalous process spawning from the Langflow process.

Conclusion

CVE-2026-33017 represents a textbook critical vulnerability: zero authentication required, a public PoC available, and devastating impact on exploitation. The combination of Langflow's default AUTO_LOGIN=true configuration and an unguarded exec() call on user-supplied data creates a trivially exploitable, fully unauthenticated RCE pathway. Security teams should treat this as an emergency patching event. If immediate upgrading is not possible, disabling auto-login and restricting the vulnerable endpoint at the network perimeter are essential interim controls. The AI/LLM tooling ecosystem continues to expand rapidly — and as this vulnerability illustrates, security hygiene in these platforms must keep pace.