CVE-2026-33017

Published: Mar 20, 2026 Last Modified: Mar 20, 2026

ExploitDB:

Other exploit source:

Google Dorks:

CRITICAL 9,3

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

Improper Control of Generation of Code ('Code Injection')

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control Integrity Confidentiality Availability Non-Repudiation

Potential Impacts:

Bypass Protection Mechanism Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands Hide Activities

Applicable Platforms

Languages: Interpreted

Technologies: AI/ML

Likelihood of Exploit: Medium

View CWE Details

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Incomplete

Abstraction: Variant Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Access Control Integrity Availability Other Non-Repudiation

Potential Impacts:

Read Files Or Directories Read Application Data Bypass Protection Mechanism Gain Privileges Or Assume Identity Execute Unauthorized Code Or Commands Hide Activities

Applicable Platforms

Languages: Interpreted, Java, JavaScript, Perl, PHP, Python, Ruby

Technologies: AI/ML

Likelihood of Exploit: Medium

View CWE Details

306

Missing Authentication for Critical Function

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Access Control Other

Potential Impacts:

Gain Privileges Or Assume Identity Varies By Context

Applicable Platforms

Technologies: Cloud Computing, ICS/OT

Likelihood of Exploit: High

View CWE Details

https://github.com/advisories/GHSA-rvqx-wpfh-mfx7

https://github.com/langflow-ai/langflow/commit/73b6612e3ef2…

https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd4…

https://github.com/langflow-ai/langflow/security/advisories…

https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx

CVE-2026-33017

Description

Improper Control of Generation of Code ('Code Injection')

Common Consequences

Applicable Platforms

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Common Consequences

Applicable Platforms

Missing Authentication for Critical Function

Common Consequences

Applicable Platforms

Iscriviti alla newsletter