CVE‑2026‑33017 & CVE‑2025‑3248: Langflow’s Unauthenticated RCE via Unsandboxed exec() – A Deep‑Dive

Executive Summary

Langflow, the open‑source low‑code platform for building AI agents and RAG pipelines, has been hit by two critical, actively exploited vulnerabilities: CVE‑2026‑33017 (RCE via the /api/v1/build_public_tmp/{flow_id}/flow endpoint) and CVE‑2025‑3248 (RCE via /api/v1/validate/code). Both are unauthenticated, unsandboxed exec() calls that allow an attacker to run arbitrary Python code with the privileges of the Langflow server process. The attacks were observed within 20 hours of disclosure, and the affected ecosystem includes 466 internet‑exposed instances worldwide. Immediate action: upgrade to Langflow 1.9.0 (CVE‑2026‑33017) and 1.3.0 (CVE‑2025‑3248) or disable the public‑flow feature.

Technical Analysis

1. Root Cause & Vulnerability Mechanics

Item Detail
Vulnerability Type Logic flaw: missing authentication + unsandboxed exec()
Affected Endpoint POST /api/v1/build_public_tmp/{flow_id}/flow (CVE‑2026‑33017)
Legacy Endpoint POST /api/v1/validate/code (CVE‑2025‑3248)
Key Function prepare_global_scope() in code_validation.py
Unsandboxed Call exec(user_code, global_scope)
Why It Works The public‑flow endpoint is intentionally unauthenticated to allow demos. It accepts a JSON payload (data) that can contain arbitrary Python code in node definitions. The code is passed directly to prepare_global_scope() without any validation or sandboxing, so exec() runs it as the server process.
Privilege Escalation The Langflow process runs as a privileged user (often root or a dedicated service account) and has access to environment variables that store API keys for LLM providers, vector databases, and cloud accounts.

The flaw is a classic code injection problem, but the severity is amplified by the fact that the code runs with the full privileges of the Langflow service. The design decision to expose a public flow endpoint without authentication or input sanitization is the root cause.

“The vulnerability resides in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint. This endpoint is intentionally unauthenticated to allow public demos of Langflow flows.”CISA KEV

2. Exploitation Chain – Step by Step

Below is the exact sequence an attacker follows to achieve remote code execution:

Step Action Server Response Attacker Gain
1 Craft a malicious HTTP POST to /api/v1/build_public_tmp/{flow_id}/flow with the data parameter containing a flow definition that embeds arbitrary Python code. Server accepts the request, stores the flow temporarily. None
2 Server processes the flow definition. The embedded code is extracted and passed to prepare_global_scope(). prepare_global_scope() receives the code string. None
3 prepare_global_scope() calls exec(user_code, global_scope) without sandboxing. Python interpreter executes the code in the server’s process context. Arbitrary code execution
4 The attacker’s code runs with full server privileges. Typical payloads: spawning a reverse shell, exfiltrating credentials, installing a back‑door, or pivoting to other services. Attacker obtains a shell or writes a back‑door. Full system compromise

2.1 Sample Payload

The data parameter is a JSON string that defines a flow. The malicious node is inserted as a Python node with the code to execute.

{
  "nodes": [
    {
      "id": "python_node_1",
      "type": "Python",
      "code": "import os, sys; os.system('id'); sys.exit(0)"
    }
  ],
  "edges": []
}

Curl example

curl -X POST "http://<langflow-host>/api/v1/build_public_tmp/123/flow" \
     -H "Content-Type: application/json" \
     -d '{"data":"{\"nodes\":[{\"id\":\"python_node_1\",\"type\":\"Python\",\"code\":\"import os, sys; os.system(\\\"id\\\"); sys.exit(0)\"}],\"edges\":[]}" }'

The data field is URL‑encoded JSON. The payload can be expanded to run subprocess.Popen(['bash','-c','cat /etc/passwd']) or to open a reverse shell.SecPod

2.2 Legacy CVE‑2025‑3248

The earlier flaw in /api/v1/validate/code follows the same pattern: an unauthenticated endpoint that accepts arbitrary Python code and passes it to exec() in code_validation.py. The difference is that the legacy endpoint is used for validating user‑supplied code snippets, whereas the new endpoint is for building public flows.

3. Affected Versions & Fixes

CVE Affected Versions Patched Version Fix Summary
CVE‑2026‑33017 Langflow ≤ 1.8.1 (all releases before 1.9.0) 1.9.0 Removed unsandboxed exec() from the public‑flow endpoint; added authentication guard and input validation.
CVE‑2025‑3248 Langflow ≤ 1.3.0 (all releases before 1.3.0) 1.3.0 Removed unsandboxed exec() from /api/v1/validate/code; added sandboxing and whitelist of allowed node types.

“Patch: Langflow 1.9.0 (patches CVE‑2026‑33017), Langflow 1.3.0 (patches CVE‑2025‑3248).”CISA KEV

“The vulnerability resides in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint.”CISA KEV

4. Attack Surface & Deployment Configurations

Deployment Public‑Flow Feature Vulnerability Exposure
Enabled (default in many demos) Yes Full RCE via CVE‑2026‑33017
Disabled No No RCE via public‑flow endpoint
Firewall‑Restricted Yes, but open to the Internet RCE if firewall allows POST to endpoint
Containerized Yes RCE inside container, but may be limited by container runtime
Non‑root Service User Yes RCE limited to service user privileges, but still can read environment variables

Safe Configuration

  • Disable the public‑flow feature via the PUBLIC_FLOW_ENABLED=false flag or by removing the route from the reverse proxy.
  • Restrict the endpoint to internal networks only.
  • Run Langflow under a least‑privilege user that does not have access to sensitive credentials.

5. Comparison to Similar Incidents

Incident Similarity
Log4Shell (CVE‑2021‑44228) Both allow unauthenticated remote code execution via a crafted request to a public endpoint.
CVE‑2025‑3248 Same unsandboxed exec() in a public endpoint; identical exploitation chain.
CVE‑2023‑XXXX (Python exec in Django) Unauthenticated endpoint with unsanitized exec(); similar privilege escalation risk.

The pattern is clear: AI pipeline tools that expose public demo endpoints are fertile ground for RCE when they accept arbitrary code. The Langflow vulnerabilities are a textbook example of this design flaw.

Impact Assessment

1. Scope & Exposure

  • Internet‑exposed instances: 466 (Censys, March 2026).
  • Geographic distribution: United States, Germany, Singapore, India, China.
  • User base: Thousands of developers and enterprises building LLM agents, RAG pipelines, and chatbot workflows.

2. Real‑World Consequences

  1. Credential Theft

    • Langflow aggregates API keys for OpenAI, Anthropic, Cohere, vector databases (Pinecone, Weaviate), and cloud accounts (AWS, GCP, Azure).
    • An attacker can read these from environment variables or config files, enabling full compromise of the AI stack.

  2. Lateral Movement

    • Compromised credentials can be used to access downstream services, data lakes, and internal APIs.
    • Attackers can pivot to other systems within the same network.

  3. Data Exfiltration

    • Malicious code can read user data, logs, or even the entire file system.
    • Sensitive training data or proprietary prompts can be exfiltrated.

  4. Persistence & Back‑doors

    • Attackers can install reverse shells, cron jobs, or malicious containers that survive restarts.

  5. Regulatory & Reputational Damage

    • Breach of GDPR, CCPA, or other privacy regulations if personal data is exfiltrated.
    • Loss of trust from customers relying on AI services.

3. Comparison to Past Incidents

  • Log4Shell: 10 million affected systems, 200 000+ breaches.
  • CVE‑2025‑3248: Exploited in the wild within 20 hours of disclosure, similar to CVE‑2026‑33017.
  • Langflow RCE: While the absolute number of affected systems is smaller, the concentration of credentials in a single platform magnifies the damage.

Detection & Response

1. Log Signatures

Log Source Signature Explanation
HTTP Access Logs POST /api/v1/build_public_tmp/ Any POST to this endpoint is suspicious if the request originates from an external IP.
Python Tracebacks Traceback (most recent call last): Indicates that exec() ran unhandled code.
Process Creation spawned process: /bin/bash or subprocess.Popen New shell or command execution.
Credential Access os.environ['OPENAI_API_KEY'] Access to environment variables containing API keys.

Example log snippet

2026-03-25 14:32:07,123 INFO 127.0.0.1 POST /api/v1/build_public_tmp/123/flow 200
2026-03-25 14:32:07,124 DEBUG exec() called with user code
2026-03-25 14:32:07,125 ERROR Traceback (most recent call last):
...

2. YARA Rule (Python exec Injection)

rule Langflow_RCE_Exec
{
    meta:
        description = "Detect unsandboxed exec() in Langflow payloads"
        author = "Karma‑X"
        reference = "https://github.com/langflow/langflow"

    strings:
        $exec_call = /exec\([^)]*\)/ nocase
        $python_node = /\"type\"\s*:\s*\"Python\"/ nocase
        $data_field = /\"data\"\s*:/ nocase

    condition:
        $exec_call and $python_node and $data_field
}

3. Network Indicators

  • HTTP POST to /api/v1/build_public_tmp/{flow_id}/flow from unknown IPs.
  • Large payloads (> 1 KB) containing base64‑encoded code.

4. Behavioral Detection

  • Unexpected process creation on the Langflow host.
  • Outbound traffic to suspicious IPs after a POST to the public‑flow endpoint.
  • File system changes (e.g., new cron jobs, hidden files).

Mitigation & Remediation

Priority Action Rationale
1 Patch immediately – upgrade to Langflow 1.9.0 (CVE‑2026‑33017) and 1.3.0 (CVE‑2025‑3248). Removes unsandboxed exec() from vulnerable endpoints.
2 Disable public‑flow feature if not required. Eliminates the attack surface entirely.
3 Restrict the endpoint to internal networks via firewall or reverse proxy ACLs. Prevents external access.
4 Run Langflow under least‑privilege user with no access to sensitive environment variables. Limits damage if RCE occurs.
5 Implement network segmentation – isolate Langflow from critical services (LLM providers, vector DBs, cloud accounts). Reduces lateral movement.
6 Deploy automated patch management (e.g., Saner Patch Management) to ensure timely updates. Reduces window of exposure.
7 Monitor logs for the signatures above; set up alerts. Early detection of exploitation attempts.
8 Consider disabling the /api/v1/validate/code endpoint if not used. Removes legacy RCE vector.
9 Apply a sandbox or safe‑eval for any custom Python nodes if you must keep public flows. Adds an extra layer of protection.

“If patching is delayed, consider disabling the public flow feature via configuration or firewall rules.”CISA KEV

Timeline

Date Event
2025‑02‑26 CVE‑2025‑3248 reported by Horizon3.ai
2025‑03‑17 CVE‑2025‑3248 publicly disclosed
2025‑03‑31 Langflow 1.3.0 released (patch for CVE‑2025‑3248)
2025‑05‑06 CISA adds CVE‑2025‑3248 to KEV
2026‑02‑26 CVE‑2026‑33017 reported by Aviral Srivastava
2026‑03‑17 CVE‑2026‑33017 publicly disclosed
2026‑03‑17 Langflow 1.9.0 released (patch for CVE‑2026‑33017)
2026‑03‑20 CVE‑2026‑33017 published in OpenCVE
2026‑03‑25 CISA adds CVE‑2026‑33017 to KEV
2026‑03‑25 Active exploitation observed within 20 h of disclosure

Sources & References

  1. CISA: New Langflow flaw actively exploited to hijack AI workflows
  2. CVE‑2026‑33017: Critical Langflow Vulnerability Exploited Within 20 Hours of Disclosure – SecPod Blog
  3. CVE‑2026‑33017 - Vulnerability Details - OpenCVE
  4. Langflow RCE CVE‑2026‑33017: Exploited Within 20 Hours – Lab Space
  5. Tech Investor News: Critical Langflow Flaw Added to CISA KEV List Amid Ongoing Exploitation Evidence
  6. CISA KEV Catalog

Metadata

category: Research
tags: Langflow, RCE, AI Security, CVE, CISA
teaser: Langflow’s public‑flow endpoint now a hotbed for RCE – patch or disable it immediately to stop attackers from hijacking your AI workflows.

Sources

  1. CISA: New Langflow flaw actively exploited to hijack AI workflows
  2. CVE-2026-33017: Critical Langflow Vulnerability Exploited Within 20 Hours of Disclosure - SecPod Blog
  3. CVE-2026-33017 - Vulnerability Details - OpenCVE
  4. Langflow RCE CVE-2026-33017: Exploited Within 20 Hours – Lab Space
  5. Critical Langflow Flaw Added to CISA KEV List Amid Ongoing