A critical vulnerability in Langflow, tracked as CVE-2026-33017, is being actively exploited in the wild and poses a serious risk to organizations using exposed self-hosted Langflow instances.
The flaw affects the public flow build functionality and can allow unauthenticated remote code execution through attacker-controlled flow data. Langflow fixed the issue in version 1.9.0; versions up to and including 1.8.2 remain affected.
Technical Overview
The vulnerability exists in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, which is intended to allow unauthenticated building of public flows. When the optional data parameter is provided, Langflow may process attacker-supplied flow definitions instead of trusted stored data.
Because those node definitions can contain arbitrary Python code and that code is passed to exec() without sandboxing, an attacker can achieve unauthenticated remote code execution on the server.
This issue is particularly dangerous because exploitation can require only a single crafted HTTP request against an exposed vulnerable instance. Security advisories also note that the vulnerable server process may be compromised with full process privileges, allowing file access, command execution, secret theft, and broader environment compromise.
Affected Versions
- Vulnerable: Langflow versions up to and including 1.8.2
- Patched: 1.9.0 and later
- Environments using outdated or unverified container images may still be exposed
- Publicly exposed instances with public flow functionality enabled are at highest risk
Observed Threat Activity
Public reporting shows attackers moved from disclosure to exploitation extremely quickly. The first exploitation attempts were observed roughly 20 hours after the advisory was published, before any public GitHub proof-of-concept was available.
Over the next 48 hours, researchers saw exploitation attempts from six unique source IPs, including automated scanning activity, custom exploit scripting, and follow-on credential harvesting.
CISA has since added CVE-2026-33017 to its Known Exploited Vulnerabilities catalog.
Impact Assessment
If exploited, CVE-2026-33017 can allow attackers to fully compromise a vulnerable Langflow server. This may include arbitrary command execution, access to files and application data, theft of API keys and environment secrets, database credential exposure, and persistent footholds for additional malicious activity.
The risk is elevated in AI and orchestration environments because Langflow deployments often hold access to external services such as LLM providers, cloud platforms, databases, and internal APIs. As a result, a successful compromise may extend well beyond the Langflow host itself and expose downstream systems, data stores, or software supply chain paths.
Recommended Actions
- Identify exposure immediately: Locate any Langflow deployments (especially dev/AI environments) and prioritize review of internet-exposed instances
- Patch or restrict access: Upgrade to v1.9.0+ or restrict access behind trusted networks and disable public flow functionality
- Verify deployments: Confirm actual running versions (don’t rely on latest or container tags)
- Hunt for compromise: Check for suspicious execution, .env access, outbound connections, and rotate any potentially exposed credentials
Stay Safe. Stay Secure
OP Innovate Research Team
