RAXE-2026-043 CRITICAL CVSS 9.8 v3.1 S2

Langflow Unauthenticated Code Injection RCE via Public Flow Build Endpoint (CVE-2026-33017)

Agent Security 2026-03-27 M. Hirani TLP:GREEN
CVE-2025-3248 CVE-2026-27966 CVE-2026-33017

1. Executive Summary

A critical unauthenticated remote code execution vulnerability (CVE-2026-33017) in Langflow allows attackers to run arbitrary Python code on the server by sending a crafted POST request to the public flow build endpoint, with no authentication required (NVD). The vulnerability carries a CVSS v3.1 score of 9.8 CRITICAL (NVD Primary) and was added to CISA's Known Exploited Vulnerabilities (KEV) catalogue on 2026-03-25, confirming active exploitation in the wild (CISA KEV). The NVD description states the vulnerability affects versions "prior to 1.9.0" (NVD), but neither the GitHub advisory metadata (which lists patched versions as None) nor public release channels expose an installable patched release — the latest available version on PyPI and GitHub Releases is 1.8.3 (PyPI, GHSA-vwmf-pq79-vjvx). Compensating controls are the only immediately actionable mitigation: block unauthenticated access to the Langflow API and disable public flows.

2. Risk Rating

Dimension Rating Detail
Severity CRITICAL CVSS v3.1: 9.8 (NVD Primary); CVSS v4.0: 9.3 (CNA-submitted, Secondary) (NVD)
Urgency CRITICAL CISA KEV added 2026-03-25 with remediation deadline 2026-04-08; active exploitation reported per CISA KEV listing (CISA KEV)
Scope HIGH Langflow is an open-source AI agent builder and LLM orchestration platform; default configuration (AUTO_LOGIN=true) is exploitable without any authentication (GHSA-vwmf-pq79-vjvx)
Confidence CONFIRMED NVD status is Analyzed; PoC tested against Langflow 1.7.3 with 100% reproduction rate (3/3 runs) (GHSA-vwmf-pq79-vjvx). NVD description states fix in 1.9.0, but GHSA advisory metadata lists patched versions as None and no 1.9.0 release exists on PyPI (NVD, GHSA-vwmf-pq79-vjvx, PyPI)
Business Impact CRITICAL Full remote code execution with server process privileges; arbitrary file access, credential exfiltration, reverse shell establishment, and lateral movement (RAXE assessment)

CVSS Detail

CVSS v3.1 (NVD Primary): 9.8 CRITICAL — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD)

The NVD has completed its own analysis (vulnStatus: Analyzed, last modified 2026-03-26) (NVD). The CVSS v3.1 score of 9.8 is an NVD Primary score, representing NVD's independent assessment.

CVSS v4.0 (CNA-submitted, Secondary): 9.3 CRITICAL — CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L (NVD)

The CVSS v4.0 score was submitted by the CNA (security-advisories@github.com) and is classified as Secondary in the NVD response.

EPSS

The EPSS score is 6.142% (91st percentile) (NVD), indicating this vulnerability ranks in the top 9% for predicted exploitation probability. This is consistent with the confirmed active exploitation reflected in the CISA KEV listing (CISA KEV).

Version Range Discrepancy

Primary sources diverge on the fix version. The NVD description states the vulnerability affects "versions prior to 1.9.0" (NVD). The GHSA advisory lists the affected range as <= 1.8.2 but shows patched versions: None in its metadata (GHSA-vwmf-pq79-vjvx). The NVD CPE configuration specifies versionEndExcluding: 1.8.2 (NVD), which would exclude version 1.8.2 itself — inconsistent with both the NVD description and the GHSA range. The latest public release on PyPI and GitHub Releases is 1.8.3 (PyPI); no 1.9.0 release exists on any channel as of 2026-03-28. This draft treats NVD's "prior to 1.9.0" as the stated affected range and notes that no installable patched release is currently available. Compensating controls are the only actionable remediation.

3. Affected Products

Package Ecosystem Affected Versions Fixed Version Source
langflow PyPI (pip) <= 1.8.2 1.9.0 (NVD description; GHSA metadata lists patched versions: None; not published to PyPI or GitHub Releases as of 2026-03-28 — latest: 1.8.3) (NVD, GHSA-vwmf-pq79-vjvx, PyPI)

Vendor: Langflow (open-source, hosted at github.com/langflow-ai/langflow).

Fix commit: 73b6612e3ef25fdae0a752d75b0fabd47328d4f0 (NVD).

Am I Affected?

  • Check if your organisation deploys Langflow in any capacity (development, staging, or production)
  • Check the installed version: pip show langflow | grep Version — any version <= 1.8.2 is affected (GHSA-vwmf-pq79-vjvx)
  • Check if the instance is network-accessible: the vulnerability is exploitable over the network without authentication (NVD)
  • Check the AUTO_LOGIN setting: the default value is true, which makes exploitation trivially achievable without even needing a pre-existing public flow (GHSA-vwmf-pq79-vjvx)
  • Check if public flows exist on the instance: any publicly shared flow exposes the vulnerable endpoint (GHSA-vwmf-pq79-vjvx)

4. Abstract

CVE-2026-33017 is an unauthenticated remote code execution vulnerability in Langflow, an open-source AI agent builder and LLM orchestration platform. The POST /api/v1/build_public_tmp/{flow_id}/flow endpoint is designed to allow building public flows without authentication, but incorrectly accepts an attacker-supplied data parameter containing arbitrary Python code in node definitions (NVD). This code is passed through a chain of functions culminating in unsandboxed dynamic code evaluation within prepare_global_scope() at validate.py:397 (GHSA-vwmf-pq79-vjvx). The vulnerability is classified under CWE-94 (Code Injection), CWE-95 (Eval Injection), and CWE-306 (Missing Authentication for Critical Function) (NVD).

This vulnerability is distinct from CVE-2025-3248 (GHSA-rvqx-wpfh-mfx7), which was an earlier code execution vulnerability in Langflow's /api/v1/validate/code endpoint that was fixed by adding authentication (NVD). The build_public_tmp endpoint presents a fundamentally different challenge: it is intentionally unauthenticated for public flow access, but the data parameter allows replacement of the stored flow data with attacker-controlled code (NVD).

5. Key Findings

  1. Unauthenticated remote code execution — The POST /api/v1/build_public_tmp/{flow_id}/flow endpoint runs attacker-supplied Python code without any authentication, sandboxing, or input validation (NVD).

  2. Default configuration is exploitable — When AUTO_LOGIN=true (the default setting), an attacker can create their own public flow and immediately exploit it without any pre-existing conditions on the target instance (GHSA-vwmf-pq79-vjvx).

  3. Code runs during graph building — The injected code runs at the graph-building stage (via prepare_global_scope() calling a dynamic code evaluation function), before the flow is ever "run." Python assignment statements in attacker-supplied node definitions are processed as top-level definitions (GHSA-vwmf-pq79-vjvx).

  4. Active exploitation reported — CISA added CVE-2026-33017 to its Known Exploited Vulnerabilities catalogue on 2026-03-25 with a remediation deadline of 2026-04-08 (CISA KEV). The CISA required action is: "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable" (CISA KEV).

  5. Distinct from prior Langflow RCE — This vulnerability differs from CVE-2025-3248, which affected /api/v1/validate/code and was fixed by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated; the fix requires removing acceptance of attacker-supplied flow data, not simply adding auth (NVD).

  6. Sysdig reports rapid exploitation timeline — Sysdig published an analysis documenting how attackers compromised Langflow AI pipelines within 20 hours of the vulnerability becoming actionable (NVD references: Sysdig blog).

6. Attack Flow

+------------------------------------+
| 1. Unauthenticated attacker sends  |
|    POST /api/v1/build_public_tmp/  |
|    {flow_id}/flow with malicious   |
|    data parameter.                 |
+-----------------+------------------+
                  |
                  v
+------------------------------------+
| 2. Langflow accepts attacker-      |
|    controlled flow data at the     |
|    public build endpoint.          |
+-----------------+------------------+
                  |
                  v
+------------------------------------+
| 3. create_graph() /                |
|    build_graph_from_data() parses  |
|    attacker-defined nodes.         |
+-----------------+------------------+
                  |
                  v
+------------------------------------+
| 4. instantiate_class() reaches     |
|    eval_custom_component_code()    |
|    and prepare_global_scope().     |
+-----------------+------------------+
                  |
                  v
+------------------------------------+
| 5. Attacker Python executes with   |
|    Langflow server process         |
|    privileges.                     |
+-----------------+------------------+
                  |
                  v
+------------------------------------+
| 6. Post-exploitation actions can   |
|    include file access, credential |
|    theft, and reverse shell setup. |
+-----------------+------------------+
                  |
                  v
+------------------------------------+
| 7. Server still returns HTTP 200   |
|    and a build job ID after code   |
|    execution has already begun.    |
+------------------------------------+

All steps in this diagram are derived from the NVD description and GHSA advisory code path analysis (NVD, GHSA-vwmf-pq79-vjvx). Step 6 impacts are RAXE assessment based on the confirmed arbitrary code evaluation with server process privileges.

7. Technical Details

Vulnerable Endpoint

The vulnerability resides in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, implemented in src/backend/base/langflow/api/v1/chat.py at lines 580-657 (GHSA-vwmf-pq79-vjvx). This endpoint is designed to allow building public flows without authentication — it does not include a Depends(get_current_active_user) dependency, unlike the authenticated build endpoint at line 138 (GHSA-vwmf-pq79-vjvx).

The endpoint accepts an optional data parameter of type FlowDataRequest. When this parameter is supplied, the endpoint uses the attacker-controlled flow data instead of the stored flow data from the database (NVD). The NVD description states: "When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to [a dynamic evaluation function] with zero sandboxing, resulting in unauthenticated remote code execution" (NVD).

Code Path

The GHSA advisory documents the full code path from HTTP request to arbitrary code evaluation (GHSA-vwmf-pq79-vjvx):

  1. start_flow_build(data=attacker_data) passes the attacker's flow data to generate_flow_events() (build.py:81)
  2. create_graph() calls build_graph_from_data(payload=data.model_dump()) (build.py:298)
  3. Graph.from_payload(payload) parses the attacker's node definitions (base.py:1168)
  4. add_nodes_and_edges() iterates through nodes and calls initialize() (base.py:270,527)
  5. _instantiate_components_in_vertices() processes each vertex (base.py:1323)
  6. vertex.instantiate_component() calls instantiate_class(vertex) (loading.py:28)
  7. The code field is extracted from the node template: code = custom_params.pop("code") (loading.py:43)
  8. eval_custom_component_code(code) calls create_class(code, class_name) (eval.py:9)
  9. prepare_global_scope(module) processes the code (validate.py:323)
  10. The attacker's arbitrary Python code is dynamically evaluated with full server privileges (validate.py:397)

Unsandboxed Code Evaluation in prepare_global_scope

The prepare_global_scope() function at validate.py lines 340-397 first resolves imports (any Python module can be imported via importlib.import_module()), then compiles and dynamically evaluates all top-level definitions (including assignment, class, and function definition AST nodes) with no sandboxing (GHSA-vwmf-pq79-vjvx). The GHSA advisory notes that attacker code structured as a Python assignment statement is processed during graph building, before the flow ever "runs" (GHSA-vwmf-pq79-vjvx).

Exploitation Prerequisites

  1. The target Langflow instance is running a version <= 1.8.2 (GHSA-vwmf-pq79-vjvx)
  2. At least one public flow exists on the instance, or AUTO_LOGIN=true is set (the default), which allows the attacker to create their own public flow via the unauthenticated auto_login endpoint (GHSA-vwmf-pq79-vjvx)
  3. The attacker knows a valid public flow UUID (discoverable via shared flow links/URLs) (GHSA-vwmf-pq79-vjvx)
  4. No authentication is required for the attack (CWE-306; CVSS PR:N) (NVD)

Relationship to CVE-2025-3248

CVE-2025-3248 (GHSA-rvqx-wpfh-mfx7) was a prior Langflow vulnerability in the /api/v1/validate/code endpoint that was fixed by adding authentication (NVD). The NVD description explicitly distinguishes CVE-2026-33017: "This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code" (NVD). The GHSA advisory further notes that a simple authentication check does not fix this endpoint, since it is intentionally unauthenticated; the fix requires preventing the data parameter from supplying attacker-controlled code (GHSA-vwmf-pq79-vjvx).

Relationship to RAXE-2026-013

RAXE-2026-013 covers CVE-2026-27966, a separate Langflow vulnerability involving CSV Agent RCE via Prompt Injection. That finding addresses a different vulnerability class (prompt injection causing code execution through allow_dangerous_code=True) in a different component (the CSV Agent). CVE-2026-33017 is a direct server-side code injection vulnerability via the build endpoint, not mediated by prompt injection (RAXE assessment).

8. Confidence & Validation

Assessment Confidence: Confirmed

Aspect Status Detail
Vendor Advisory Yes GHSA-vwmf-pq79-vjvx published 2026-03-17 with full code path analysis and PoC (GHSA-vwmf-pq79-vjvx)
CVE Assigned Yes CVE-2026-33017, published 2026-03-20, last modified 2026-03-26 (NVD)
NVD Status Analyzed NVD has completed independent analysis; CVSS v3.1 9.8 is an NVD Primary score (NVD)
PoC Available Yes GHSA advisory contains a full PoC tested against Langflow 1.7.3 with 100% reproduction (3/3 runs confirmed RCE); researcher writeup published on Medium (GHSA-vwmf-pq79-vjvx, NVD references)
Patch Available Partial The NVD description states the fix is in version 1.9.0 and the GHSA advisory references commit 73b6612 (NVD, GHSA-vwmf-pq79-vjvx). However, the GHSA advisory metadata lists patched versions as None, and version 1.9.0 has not been published to PyPI or GitHub Releases as of 2026-03-28; the latest installable release is 1.8.3 (PyPI, GHSA-vwmf-pq79-vjvx). Compensating controls are the only actionable mitigation until an installable fix ships.
Exploited in Wild Yes CISA KEV added 2026-03-25 (CISA KEV); Sysdig reports exploitation within 20 hours (NVD references: Sysdig blog)

PoC Verification

The GHSA advisory includes detailed PoC results showing three consecutive RCE confirmations against Langflow 1.7.3 with file creation at /tmp/rce-proof as the canary artefact (GHSA-vwmf-pq79-vjvx). The PoC demonstrates the full attack chain: obtaining an auto-login token, creating a public flow, and exploiting the build endpoint with a crafted node definition containing system command calls and file operations (GHSA-vwmf-pq79-vjvx).

Credits

The vulnerability was reported by Aviral2642, andifilhohub, Jkavia, and srmish-jfrog (GHSA-vwmf-pq79-vjvx).

9. Detection Signatures

Detection Coverage Summary

File Format Detection Layer MITRE ATT&CK
sigma-langflow-rce-web.yml Sigma Web/proxy logs T1190, T1059.006
sigma-langflow-rce-process.yml Sigma Endpoint/process creation T1059.006, T1059.004, T1053.003, T1041, T1071.001
yara-langflow-rce-payload.yar (3 rules) YARA Network traffic / log forensics T1190, T1059.006

Sigma -- Web/Proxy Detection (Delivery Telemetry)

title: Langflow Unauthenticated Code Injection RCE -- Web/Proxy Detection (CVE-2026-33017)
id: raxe-2026-043-sigma-01
status: experimental
description: >
  Detects HTTP POST requests to the Langflow public flow build endpoint
  /api/v1/build_public_tmp/{flow_id}/flow, the attack surface for
  CVE-2026-33017 unauthenticated code injection (NVD, GHSA-vwmf-pq79-vjvx).
  CISA KEV added 2026-03-25 confirming active exploitation.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-33017
  - https://github.com/advisories/GHSA-vwmf-pq79-vjvx
author: RAXE Labs
date: 2026-03-27
tags:
  - attack.execution
  - attack.t1059.006
  - attack.initial-access
  - attack.t1190
  - cve.2026-33017
logsource:
  category: webserver
detection:
  selection_method:
    cs-method: POST
  selection_endpoint:
    cs-uri|contains: '/api/v1/build_public_tmp/'
  selection_endpoint_suffix:
    cs-uri|endswith: '/flow'
  filter_authenticated:
    cs-status:
      - 401
      - 403
  condition: selection_method and selection_endpoint and selection_endpoint_suffix and not filter_authenticated
falsepositives:
  - Legitimate use of Langflow public flows by authorised users
  - Automated health checks or monitoring tools polling the build endpoint
  - Langflow UI-initiated build requests (these typically carry session cookies)
level: critical

Deployment guidance: Deploy on reverse proxy or WAF logs (nginx, HAProxy, Traefik, Envoy, Cloudflare, AWS WAF). Map cs-method, cs-uri, cs-status to your log source schema. Given CISA KEV status, any match from an external IP should trigger incident response triage (RAXE assessment).

Sigma -- Post-Exploitation Process Detection

title: Langflow Post-Exploitation -- Suspicious Child Process Spawning (CVE-2026-33017)
id: raxe-2026-043-sigma-02
status: experimental
description: >
  Detects suspicious child processes spawned by Langflow server processes,
  indicating post-exploitation activity following CVE-2026-33017 code
  injection (RAXE assessment based on GHSA-vwmf-pq79-vjvx code path).
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-33017
  - https://github.com/advisories/GHSA-vwmf-pq79-vjvx
author: RAXE Labs
date: 2026-03-27
tags:
  - attack.execution
  - attack.t1059.006
  - attack.t1059.004
  - attack.persistence
  - attack.t1053.003
  - cve.2026-33017
logsource:
  category: process_creation
  product: linux
detection:
  selection_parent_langflow:
    ParentCommandLine|contains:
      - 'langflow'
      - 'uvicorn'
      - 'gunicorn'
    ParentImage|endswith:
      - '/python3'
      - '/python'
      - '/uvicorn'
  selection_shell_spawn:
    Image|endswith:
      - '/sh'
      - '/bash'
      - '/dash'
      - '/zsh'
  selection_revshell_tools:
    Image|endswith:
      - '/nc'
      - '/ncat'
      - '/socat'
      - '/curl'
      - '/wget'
    CommandLine|contains:
      - '-e /bin/'
      - 'EXEC:'
      - '/dev/tcp/'
  selection_python_subproc:
    Image|endswith:
      - '/python3'
      - '/python'
    CommandLine|contains:
      - '-c import'
      - 'socket.socket'
      - 'pty.spawn'
  selection_cred_harvest:
    CommandLine|contains:
      - '/etc/passwd'
      - '/etc/shadow'
      - '.env'
      - 'printenv'
      - 'AWS_SECRET'
      - 'OPENAI_API_KEY'
      - 'LANGFLOW_'
      - 'DATABASE_URL'
  selection_persistence:
    CommandLine|contains:
      - 'crontab'
      - '.ssh/authorized_keys'
      - 'useradd'
      - 'chmod +s'
  condition: >
    selection_parent_langflow and
    (selection_shell_spawn or selection_revshell_tools or
     selection_python_subproc or selection_cred_harvest or
     selection_persistence)
falsepositives:
  - Langflow custom components that legitimately invoke system commands
  - Health check scripts that restart or probe the Langflow process
level: critical

Deployment guidance: Deploy on all hosts running Langflow using Sysmon for Linux, auditd, CrowdStrike/SentinelOne/Carbon Black EDR, or Falco for container environments. This rule is essential even after patching, as it reveals compromise that may have occurred before the patch was applied (RAXE assessment).

YARA -- Payload Detection (3 rules)

Three YARA rules are provided in yara-langflow-rce-payload.yar:

  1. RAXE_2026_043_Langflow_RCE_Endpoint — Detects HTTP POST requests targeting the /api/v1/build_public_tmp/*/flow endpoint pattern in raw network traffic or log data (NVD, GHSA-vwmf-pq79-vjvx).

  2. RAXE_2026_043_Langflow_RCE_Python_Injection — Detects Python code injection patterns (e.g., subprocess, __import__, socket.socket, pty.spawn) co-occurring with the Langflow build endpoint path in request bodies or captured traffic. Includes detection of JSON-encoded/Unicode-escaped evasion attempts (RAXE assessment based on GHSA-vwmf-pq79-vjvx code path).

  3. RAXE_2026_043_Langflow_RCE_PrepareGlobalScope — Hunting rule that detects references to the prepare_global_scope function name alongside build endpoint indicators or Python tracebacks in traffic or logs. Lower confidence than the above rules; intended for forensic investigation of prior exploitation (RAXE assessment).

Deployment guidance: Use for PCAP analysis during incident response, WAF request body log scanning, and historical log searches. For high-volume scanning, pre-filter to HTTP POST traffic targeting Langflow hosts (RAXE assessment).

10. Detection & Mitigation

Detection Guidance

  • Web/Proxy layer (Priority 1): Monitor for unauthenticated HTTP POST requests to /api/v1/build_public_tmp/{UUID}/flow from external or untrusted source IPs. Given CISA KEV status, any match from an external source should trigger immediate analyst triage (RAXE assessment)
  • Endpoint layer (Priority 2): Monitor for unexpected child processes (shells, reverse shell tools, Python subprocesses) spawned by the Langflow server process (Python/uvicorn/gunicorn). This detects post-exploitation activity (RAXE assessment)
  • Application logs: Monitor for errors or tracebacks referencing prepare_global_scope() in validate.py, which may indicate failed injection attempts (RAXE assessment)
  • Network egress: Monitor for unexpected outbound connections from Langflow hosts to external IPs on non-standard ports, which may indicate reverse shell C2 channels established via code injection (RAXE assessment)
  • Filesystem monitoring: Watch for unexpected file creation in /tmp/ and other writable directories by the Langflow process UID. The advisory PoC uses /tmp/rce-proof as a canary artefact (GHSA-vwmf-pq79-vjvx)

Mitigation

Priority Action Source
P0 Block unauthenticated POST requests to /api/v1/build_public_tmp/*/flow at the reverse proxy or WAF level, or block external network access to the Langflow API entirely. This is the only immediately actionable mitigation: NVD describes 1.9.0 as fixed, but GHSA advisory metadata lists patched versions as None and no 1.9.0 release exists on PyPI or GitHub Releases as of 2026-03-28 (NVD, GHSA-vwmf-pq79-vjvx, PyPI). (RAXE assessment, NVD, PyPI)
P0 Upgrade to Langflow >= 1.9.0 when available. The NVD description states 1.9.0 as the fix (NVD). Monitor PyPI and the Langflow GitHub releases page for availability. (NVD)
P1 Set AUTO_LOGIN=false to prevent unauthenticated attackers from creating their own public flows for exploitation (GHSA-vwmf-pq79-vjvx — prerequisite removal)
P1 Remove or make private all public flows until the patch is applied (RAXE assessment — prerequisite removal)
P2 Audit Langflow server hosts for indicators of prior compromise: unexpected files in /tmp/, new cron jobs, SSH key modifications, unexpected user accounts, unfamiliar outbound connections (RAXE assessment)
P2 Rotate all secrets (API keys, database credentials, cloud tokens) accessible to the Langflow server process if any evidence of exploitation is found (RAXE assessment)

Post-Patch Verification

  1. Confirm Langflow is running version >= 1.9.0: pip show langflow | grep Version (GHSA-vwmf-pq79-vjvx)
  2. Verify that unauthenticated POST requests to /api/v1/build_public_tmp/{flow_id}/flow with a malicious data parameter are rejected or the data parameter is no longer accepted (RAXE assessment)
  3. Review the CISA KEV remediation deadline of 2026-04-08 and ensure compliance with BOD 22-01 if applicable (CISA KEV)

11. Indicators of Compromise

Type Indicator Context
Network HTTP POST to /api/v1/build_public_tmp/{UUID}/flow from external IPs Exploitation attempt targeting CVE-2026-33017 (NVD, GHSA-vwmf-pq79-vjvx)
Network POST to build endpoint without session cookie or auth header Unauthenticated exploitation consistent with CWE-306 (NVD)
Network Anomalous request body sizes on the build endpoint Exploitation payloads may be larger than typical flow build requests (RAXE assessment)
Network Malformed UUIDs in build_public_tmp/{flow_id} path Reconnaissance or endpoint fuzzing activity (RAXE assessment)
Endpoint Shell processes (/bin/sh, /bin/bash) spawned by Python/uvicorn/gunicorn Post-exploitation command execution (RAXE assessment)
Endpoint Reverse shell tools (nc, ncat, socat) launched from Langflow process tree Post-exploitation C2 establishment (RAXE assessment)
Endpoint Python subprocesses with socket.socket, pty.spawn, import os arguments Reverse shell or credential harvesting via injected code (RAXE assessment)
Endpoint File creation in /tmp/ by Langflow process UID Advisory PoC uses /tmp/rce-proof as canary (GHSA-vwmf-pq79-vjvx)
Endpoint Environment variable reads (printenv, .env access) from Langflow process Credential/API key exfiltration (RAXE assessment)
Endpoint Crontab modifications, SSH authorized_keys writes, user account creation by Langflow UID Persistence installation (RAXE assessment)
Application Tracebacks referencing prepare_global_scope() in validate.py Failed injection attempts generating parse errors (RAXE assessment)
Application Unexpected outbound DNS queries or connections from Langflow host Data exfiltration or C2 beaconing (RAXE assessment)

All indicators marked (RAXE assessment) are analytically derived from the advisory code path description and the confirmed arbitrary code evaluation mechanism; they are not derived from observed exploitation campaign telemetry.

12. Strategic Context

CVE-2026-33017 represents a critical and recurring pattern in AI orchestration platform security: the fundamental tension between making AI workflows accessible and preventing server-side code injection (RAXE assessment). Langflow's architecture processes user-defined Python code as an integral part of flow building, making the boundary between legitimate functionality and exploitation extremely narrow (RAXE assessment).

This is the second critical RCE vulnerability RAXE Labs has documented in Langflow. RAXE-2026-013 covered CVE-2026-27966 (CSV Agent RCE via prompt injection), which exploited a different code path but shared the same underlying architectural weakness: user-controlled input reaching Python code evaluation functions without adequate sandboxing. CVE-2025-3248, the earlier /api/v1/validate/code vulnerability, demonstrated the same pattern. Three critical code execution vulnerabilities in the same platform within a short timeframe indicates a systemic issue with the code processing architecture, not isolated implementation errors (RAXE assessment).

The CISA KEV listing and the Sysdig report documenting exploitation within 20 hours of actionability (NVD references: Sysdig blog) underscore the urgency for organisations deploying AI orchestration platforms. AI agent builders and LLM workflow platforms that process user-defined code — including Langflow, Flowise, and similar tools — require dedicated sandboxing and isolation controls as a baseline security requirement (RAXE assessment). The default-on AUTO_LOGIN configuration in Langflow exacerbates the risk by lowering the exploitation barrier to zero prerequisites for an unauthenticated network attacker (RAXE assessment).

Organisations in sectors subject to CISA BOD 22-01 (federal civilian executive branch agencies) must remediate by 2026-04-08 (CISA KEV). All other organisations deploying Langflow should treat this as a Priority 0 remediation regardless of regulatory obligation (RAXE assessment).

13. References

  1. CVE-2026-33017 — NVD entry (Analyzed); CVSS v3.1 9.8 CRITICAL (Primary); CISA KEV 2026-03-25
  2. GHSA-vwmf-pq79-vjvx — GitHub Security Advisory with full code path analysis and PoC
  3. GHSA-rvqx-wpfh-mfx7 — Prior Langflow code execution vulnerability (CVE-2025-3248) referenced for comparison
  4. Fix commit 73b6612 — Patch commit for CVE-2026-33017
  5. Langflow 1.8.2 release notes — Last affected release (NVD reference)
  6. Researcher writeup (Aviral23) — Exploit analysis and discovery narrative (NVD reference)
  7. Sysdig blog — Exploitation timeline analysis (NVD reference)
  8. CISA KEV Catalog — CVE-2026-33017 listing, added 2026-03-25, due 2026-04-08
  9. @co11ateral on X — Source signal reporting CVE-2026-33017 exploitation
  10. Langflow Pull Request #12160 — Associated fix PR (GHSA-vwmf-pq79-vjvx reference)