The Cybersecurity and Infrastructure Security Agency (CISA) has warned that a critical vulnerability in the Langflow AI agent framework is actively being exploited.
The vulnerability, tracked as CVE-2026-33017, allows unauthenticated Remote Code Execution (RCE). It received a critical CVSS score of 9.3, highlighting its severity. The flaw allows threat actors to execute arbitrary Python code on affected systems without authentication.
Langflow is an open-source low-code tool for building AI agents and workflows through a visual drag-and-drop interface. The framework also provides a REST API for programmatic execution, making it attractive for developers building AI pipelines. Its widespread adoption, including integrations with cloud services and AI APIs, increases the potential impact of exploitation.
The attack vector is the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, which allows unauthorized users to build public flows. According to Langflow, if attackers provide a crafted โdataโ parameter, the endpoint processes attacker-controlled flow data containing arbitrary Python code.
This code is passed directly to Pythonโs exec() function without sandboxing, ultimately granting remote code execution to unauthenticated users. Because exploitation can be triggered through a single crafted HTTP request, attackers can quickly compromise exposed instances.
The impact of successful exploitation could lead to a domino effect. Langflow instances often contain API keys for services such as cloud providers, AI platforms, and source code repositories. According to Sysdig researchers, attackers who obtain these credentials could move laterally to connected systems, access databases, or even launch supply chain attacks by compromising CI/CD pipelines and software repositories.
Langflow addressed CVE-2026-33017 in version 1.9.0, and users are advised to upgrade immediately.
About the author:
