A critical unauthenticated remote code execution flaw in the open source AI platform Langflow, tracked as CVE-2026-33017 with a CVSS score of 9.3, was publicly disclosed on March 17, 2026 and saw exploitation within 20 hours.
KEY FACTS
- Incident Unauthenticated remote code execution in Langflow
- CVE CVE-2026-33017, CVSS 9.3
- Impact Arbitrary code execution as the server process
- Affected Versions prior to and including 1.8.1
- Timeline Exploitation observed within 20 hours of disclosure
A technical analysis by Sysdig said attackers scanned the internet for vulnerable instances soon after publication and built working exploits from the advisory text. The analysis describes automated scanning, credential harvesting and a move to custom Python scripts that exfiltrated keys and files and staged a next stage payload on an external host.
The GitHub advisory: the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without authentication. When the optional data parameter is supplied the endpoint uses attacker controlled flow data containing arbitrary Python in node definitions and passes it to exec() with zero sandboxing, resulting in unauthenticated remote code execution.
Successful exploitation can run arbitrary code with the privileges of the server process which can expose environment variables, access or modify files, inject backdoors or obtain a reverse shell. The flaw affects releases up to and including 1.8.1 and is addressed in development version 1.9.0.dev8. Users are advised to update to a patched release, audit environment variables and secrets, rotate keys and database passwords, monitor for unusual outbound connections and restrict network access to public Langflow instances.
WHY IT MATTERS
The rapid weaponization of this vulnerability underscores shrinking time to exploit for critical flaws and increases exposure for publicly accessible AI tooling. Administrators should treat public Langflow instances as high risk and apply fixes and access controls immediately.