WHOBUILT ™SUBSCRIBE →

Langflow RCE Bug CVE-2026-33017 Exploited in 20 Hours

MAR 21DEV3 MIN READ1847134 COMMENTS

Langflow, the open-source visual framework for building AI pipelines and RAG applications, disclosed a critical remote code execution vulnerability on March 17, 2026. Designated CVE-2026-33017, the flaw carries a CVSS score of 9.3 and allows an unauthenticated attacker to execute arbitrary Python code on any exposed Langflow instance with a single HTTP request. Within 20 hours of the advisory going public, active exploitation began — before any public proof-of-concept code existed.

The speed matters. Attackers built working exploits directly from the advisory description and began scanning the internet for vulnerable instances before the security community had a chance to coordinate a response. If your Langflow deployment has been sitting unpatched since March 17, assume it has been targeted.

How the Exploit Works

The vulnerability lives in POST /api/v1/build_public_tmp/{flow_id}/flow, an endpoint designed to let unauthenticated users build public flows. The flaw is straightforward: the endpoint accepts attacker-supplied flow data containing arbitrary Python code in node definitions, then executes it server-side without sandboxing or authentication. There is no check between the network boundary and the execution environment. One crafted HTTP request is enough.

All versions of Langflow up to and including 1.8.1 are vulnerable. The patch landed in version 1.9.0. This is not a configuration issue or a hardening gap — the endpoint is vulnerable by design in affected versions, and no configuration change short of blocking all network access to the endpoint mitigates it.

What Attackers Are Taking

The Sysdig Threat Research Team documented the exploitation timeline. Automated scanning from four source IPs began within 20 hours. The payloads were custom Python exploit scripts delivered via stage-2 droppers, targeting the specific endpoint from the advisory. What they took was predictable: API keys, cloud credentials, database passwords, and configuration files from compromised instances.

In AI pipeline tools like Langflow, those credentials are often high-value. A typical Langflow deployment holds keys for OpenAI or Anthropic, credentials for a vector database like Pinecone or Weaviate, and potentially AWS or GCP service account keys used by pipeline nodes. A single compromised Langflow instance can be the entry point for a much broader compromise across every service those keys reach.

Immediate Steps

Update Langflow to version 1.9.0 immediately. After updating, treat every credential your Langflow instance could have accessed as potentially compromised: rotate API keys, database passwords, and cloud service credentials. Check environment variables and secrets for signs of exfiltration. Look for outbound connections to unfamiliar callback services in your logs from around and after March 17.

Going forward, Langflow instances should not be directly internet-accessible without a strong operational reason. A reverse proxy with authentication reduces attack surface significantly. For internal deployments, network rules restricting inbound access to known IP ranges are a reasonable baseline control. Treat Langflow as infrastructure, not a casual development tool — because attackers clearly do.

A Broader Pattern

CVE-2026-33017 is a specific vulnerability with a specific fix, but the pattern it represents is worth understanding. AI pipeline frameworks — Langflow, Flowise, and similar tools — are becoming critical infrastructure for developers building on LLMs. They often run with ambient access to production credentials and external APIs by design, because that is how pipeline nodes work. That makes them high-value targets with a security posture that has not kept pace with their adoption.

The 20-hour exploitation window is the number to internalize. When a critical advisory drops in this space, the window between public disclosure and active exploitation is now measured in hours. Patch cadence acceptable for internal tooling three years ago is no longer adequate when the tool holds keys to your entire AI infrastructure stack.

// ENGLISH
KEY POINTS:

- CVE-2026-33017: unauthenticated RCE in Langflow via single HTTP POST, CVSS 9.3
- Affects all versions up to and including 1.8.1; fix is in 1.9.0
- Attackers began scanning within 20 hours — before any public PoC existed
- Stolen: API keys, cloud credentials, database passwords, and config files
- AI pipeline tools hold high-value keys to OpenAI, AWS, vector DBs, and more
- Mitigate: update to 1.9.0, rotate all credentials, restrict network access to Langflow