CVE-2026-33017

CRITICAL KEV NUCLEI LAB

Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint

Title source: cna
STIX 2.1

Exploitation Summary

CVE-2026-33017 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2026. EIP tracks 24 public exploits from researchers including Diamorphine, adminlove520, z4yd3. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit targets a remote code execution (RCE) vulnerability in Langflow <1.9.0 by abusing the custom component creation API. It injects malicious Python code into a flow's node template, which executes a reverse shell when the flow is built.

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

Exploits (24)

exploitdb WORKING POC
by Diamorphine · pythonwebappsmultiple
https://www.exploit-db.com/exploits/52627

This exploit targets a remote code execution (RCE) vulnerability in Langflow <1.9.0 by abusing the custom component creation API. It injects malicious Python code into a flow's node template, which executes a reverse shell when the flow is built.

Classification
Working Poc 98%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Langflow versions before 1.9.0
No auth needed
Prerequisites: Valid flow ID (obtainable via /api/v1/flows/ or UI) · Valid client_id cookie for session context · Network access to the Langflow API endpoint
mistral-large-3 · analyzed Jul 09, 2026 Full analysis →
github WORKING POC 3 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-33017

This repository contains a functional exploit for CVE-2026-33017, targeting Langflow <= 1.8.1. The exploit leverages unauthenticated API endpoints to create a public flow and inject malicious code, resulting in remote command execution via a reverse shell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Langflow <= 1.8.1
No auth needed
Prerequisites: Target must be running Langflow <= 1.8.1 · Network access to the target's API endpoints
mistral-large-3 · analyzed May 05, 2026 Full analysis →
nomisec WORKING POC 2 stars
by z4yd3 · poc
https://github.com/z4yd3/PoC-CVE-2026-33017

This repository contains a functional exploit for CVE-2026-33017, demonstrating unauthenticated remote code execution in Langflow via the /api/v1/build_public_tmp endpoint. The exploit crafts a malicious flow with embedded Python code that executes arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Langflow <= 1.8.2
No auth needed
Prerequisites: Network access to the target Langflow instance
mistral-large-3 · analyzed Apr 09, 2026 Full analysis →
nomisec WORKING POC 1 stars
by EQSTLab · remote
https://github.com/EQSTLab/CVE-2026-33017

The repository contains a functional exploit for CVE-2026-33017, an RCE vulnerability in Langflow's public flow build endpoint. The exploit leverages the ability to inject malicious custom components via the `data` parameter, leading to arbitrary code execution during the flow build process.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Langflow 1.8.2 and below
No auth needed
Prerequisites: Access to a vulnerable Langflow instance · Public flow ID or ability to create one
mistral-large-3 · analyzed Apr 09, 2026 Full analysis →
nomisec WORKING POC 1 stars
by omer-efe-curkus · remote
https://github.com/omer-efe-curkus/CVE-2026-33017-Langflow-RCE-PoC

This repository contains a functional exploit for CVE-2026-33017, an unauthenticated RCE vulnerability in Langflow 1.8.1 and earlier. The exploit leverages the `/api/v1/build_public_tmp/{flow_id}/flow` endpoint to inject arbitrary Python code via crafted node configurations, executed via `exec()` without sandboxing.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Langflow 1.8.1 and earlier
No auth needed
Prerequisites: A public flow UUID or `AUTO_LOGIN=true` to create one · Network access to the target Langflow instance
mistral-large-3 · analyzed Mar 22, 2026 Full analysis →
github WORKING POC
by diamorphine666 · pythonremote
https://github.com/diamorphine666/CVE-2026-33017-Exploit

This exploit targets an unauthenticated remote code execution vulnerability in Langflow <1.9.0 via the `/api/v1/build_public_tmp/{flow_id}/flow` endpoint. It injects malicious Python code into a custom component to establish a reverse shell on the target system.

Classification
Working Poc 98%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Langflow versions prior to 1.9.0
No auth needed
Prerequisites: Valid `flow_id` (obtainable via `/api/v1/flows/` or UI) · Valid `client_id` cookie value for session identification · Network access to the target Langflow instance
mistral-large-3 · analyzed Jul 05, 2026 Full analysis →
github WORKING POC
by yayip · shellpoc
https://github.com/yayip/CVE-2026-33017

This PoC exploits a remote code execution vulnerability in FireFlow's API by injecting malicious Python code via a crafted JSON payload. The exploit leverages a code execution field in the API to establish a reverse shell to the attacker's machine.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FireFlow (likely a custom workflow automation tool, specific version not mentioned)
Auth required
Prerequisites: Access to the FireFlow API endpoint (https://flow.fireflow.htb/api/v1/build_public_tmp/...) · Valid client_id cookie or authentication token · Network access to the target system · Attacker-controlled listener for the reverse shell (e.g., netcat)
mistral-large-3 · analyzed Jul 04, 2026 Full analysis →
github WORKING POC
by c0gnit00 · pythonremote
https://github.com/c0gnit00/CVE-2026-33017

This repository contains a functional exploit for CVE-2026-33017, an unauthenticated remote code execution vulnerability in Langflow. The exploit leverages the `build_public_tmp` endpoint to execute arbitrary Python code via attacker-controlled flow data, resulting in a reverse shell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Langflow <= 1.7.3
No auth needed
Prerequisites: Target Langflow instance with at least one public flow · Public flow UUID
mistral-large-3 · analyzed Jul 02, 2026 Full analysis →
github WORKING POC
by r3nsi15 · pythonremote
https://github.com/r3nsi15/CVE-2026-33017-langflow-rce

This repository contains a functional exploit for CVE-2026-33017, demonstrating unauthenticated RCE in Langflow via a malicious CustomComponent payload. The PoC abuses the auto_login endpoint to obtain a token, creates a public flow, and triggers arbitrary command execution through the build endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Langflow <= 1.8.2
No auth needed
Prerequisites: Network access to Langflow instance with auto-login enabled
mistral-large-3 · analyzed May 23, 2026 Full analysis →
github WORKING POC
by XZ1r0 · pythonpoc
https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/other/langflow-CVE-2026-33017-poc

This repository contains a functional exploit PoC for CVE-2026-33017, an unauthenticated remote code execution vulnerability in Langflow <= 1.8.1. The exploit leverages the `build_public_tmp` endpoint to inject malicious code via a CustomComponent node, which is executed unsandboxed by the server.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Langflow <= 1.8.1
No auth needed
Prerequisites: AUTO_LOGIN=true or a known public flow ID
mistral-large-3 · analyzed May 21, 2026 Full analysis →
nomisec WRITEUP
by Jorrit-VM · remote
https://github.com/Jorrit-VM/CVE-2026-33017

This repository provides a detailed technical writeup and step-by-step guide for exploiting CVE-2026-33017, an unauthenticated remote code execution vulnerability in Langflow < 1.9.0. It includes setup instructions, exploit code, and mitigation strategies.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Langflow < 1.9.0
No auth needed
Prerequisites: Valid flow_id from the target Langflow instance · Network access to the target server
mistral-large-3 · analyzed Apr 21, 2026 Full analysis →
nomisec WRITEUP
by 0xBlackash · poc
https://github.com/0xBlackash/CVE-2026-33017

This repository provides a detailed technical analysis of CVE-2026-33017, an unauthenticated remote code execution vulnerability in Langflow ≤ 1.8.2. The root cause is the unsafe use of `exec()` in the `/api/v1/build_public_tmp/{flow_id}/flow` endpoint, allowing arbitrary code execution.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Langflow ≤ 1.8.2
No auth needed
Prerequisites: Network access to the vulnerable endpoint
mistral-large-3 · analyzed Apr 20, 2026 Full analysis →
nomisec WORKING POC
by Spydomain · poc
https://github.com/Spydomain/CVE-2026-33017-langflow-lab

This repository provides a fully functional lab environment for CVE-2026-33017, an unauthenticated RCE vulnerability in Langflow <= 1.8.1. It includes Docker configurations to deploy a vulnerable Langflow instance with additional misconfigurations for privilege escalation and lateral movement.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Langflow <= 1.8.1
No auth needed
Prerequisites: Docker · Docker Compose
mistral-large-3 · analyzed Apr 15, 2026 Full analysis →
nomisec WORKING POC
by Spydomain · poc
https://github.com/Spydomain/CVE-2026-33017-lab

This repository contains a functional exploit PoC for CVE-2026-33017, targeting Langflow v1.8.1 with an unauthenticated RCE vulnerability. It includes a Docker-based lab environment, a Python exploit script, and detailed technical analysis of the vulnerability.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Langflow v1.8.1
No auth needed
Prerequisites: Docker · Docker Compose · ffuf for subdomain enumeration
mistral-large-3 · analyzed Apr 14, 2026 Full analysis →
nomisec WORKING POC
by oscar-mine · poc
https://github.com/oscar-mine/CVE-2026-33017-Exploit

This repository contains a functional exploit for CVE-2026-33017, an unauthenticated remote code execution vulnerability in Langflow <= 1.8.2. The exploit leverages the `/api/v1/build_public_tmp/{flow_id}/flow` endpoint to inject arbitrary Python code, which is executed via `exec()` without sandboxing.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Langflow <= 1.8.2
No auth needed
Prerequisites: Target running vulnerable Langflow version · Network access to the target
mistral-large-3 · analyzed Apr 13, 2026 Full analysis →
nomisec WORKING POC
by masterwok · poc
https://github.com/masterwok/PoC-CVE-2026-33017

This repository contains a functional exploit for CVE-2026-33017, targeting Langflow <= 1.8.1. The exploit leverages unauthenticated API endpoints to create a malicious flow and execute arbitrary commands via a reverse shell payload.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Langflow <= 1.8.1
No auth needed
Prerequisites: Network access to target · Listener setup for reverse shell
mistral-large-3 · analyzed Apr 15, 2026 Full analysis →
nomisec WORKING POC
by oscarmine · poc
https://github.com/oscarmine/CVE-2026-33017-Exploit

This repository contains a functional exploit for CVE-2026-33017, an unauthenticated remote code execution vulnerability in Langflow <= 1.8.2. The exploit leverages the `/api/v1/build_public_tmp/{flow_id}/flow` endpoint to inject arbitrary Python code, which is executed via `exec()` without sandboxing.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Langflow <= 1.8.2
No auth needed
Prerequisites: Target running vulnerable Langflow version · Network access to the target
mistral-large-3 · analyzed Apr 09, 2026 Full analysis →
nomisec WORKING POC
by masterwok · poc
https://github.com/masterwok/CVE-2026-33017-Langflow-POC

This repository contains a functional exploit for CVE-2026-33017, targeting Langflow <= 1.8.1. The exploit leverages unauthenticated API endpoints to create a malicious flow and execute arbitrary commands via a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Langflow <= 1.8.1
No auth needed
Prerequisites: Network access to the target · Listener setup for reverse shell
mistral-large-3 · analyzed Apr 09, 2026 Full analysis →
nomisec WORKING POC
by rootdirective-sec · remote
https://github.com/rootdirective-sec/CVE-2026-33017-Lab

This repository contains a functional exploit PoC for CVE-2026-33017, an unauthenticated RCE vulnerability in Langflow 1.8.1. The PoC demonstrates code execution by submitting attacker-controlled component code to a public build endpoint and retrieving proof via the API.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Langflow 1.8.1
No auth needed
Prerequisites: Docker · Python 3 · Langflow instance running on localhost:7861
mistral-large-3 · analyzed Apr 09, 2026 Full analysis →
nomisec WORKING POC
by SimoesCTT · remote
https://github.com/SimoesCTT/Sovereign-Echo-33017

This repository contains a functional Python exploit for CVE-2026-33017, targeting an unauthenticated RCE vulnerability in CTT Sovereign Echo. The exploit leverages a resonance gap in the flow builder endpoint to bypass sandboxing and execute arbitrary commands via an exec() sink.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Theoretical
Target: CTT Sovereign Echo
No auth needed
Prerequisites: valid flow_id (UUID or hex format) · target endpoint accessible
mistral-large-3 · analyzed Mar 22, 2026 Full analysis →
nomisec WORKING POC
by MaxMnMl · remote
https://github.com/MaxMnMl/langflow-CVE-2026-33017-poc

This repository contains a functional exploit PoC for CVE-2026-33017, an unauthenticated remote code execution vulnerability in Langflow <= 1.8.1. The exploit leverages the `build_public_tmp` endpoint to inject arbitrary code via the `data` parameter, which is executed via `exec()` without sandboxing.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Langflow <= 1.8.1
No auth needed
Prerequisites: AUTO_LOGIN enabled or a known public flow UUID
mistral-large-3 · analyzed Mar 21, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/masterwok/CVE-2026-33017-Langflow-PoC

This repository contains a functional exploit for CVE-2026-33017, targeting Langflow <= 1.8.1. The exploit leverages unauthenticated RCE by crafting a malicious node template and sending it to the Langflow API, resulting in a reverse shell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Langflow <= 1.8.1
No auth needed
Prerequisites: Network access to the target Langflow instance · Listener setup for reverse shell
mistral-large-3 · analyzed Jun 06, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/z4yd3/CVE-2026-33017-PoC

This repository contains a functional exploit for CVE-2026-33017, demonstrating unauthenticated remote code execution in Langflow via the /api/v1/build_public_tmp endpoint. The exploit crafts a malicious flow definition with embedded Python code that executes arbitrary commands on the target system.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Langflow <= 1.8.2
No auth needed
Prerequisites: Target Langflow instance accessible via HTTP/HTTPS · Network connectivity to the target
mistral-large-3 · analyzed Apr 09, 2026 Full analysis →

Nuclei Templates (1)

Langflow < 1.9.0 - Remote Code Execution
CRITICALVERIFIEDby himind
Shodan: http.favicon.hash:1727196746

Scores

CVSS v3 9.8
EPSS 0.9819
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY SUSPICIOUS
Community Lab
docker pull cve-2026-33017-langflow-vuln:local
docker pull langflowai/langflow:1.8.1-amd64@sha256:5bc03f85c5ad50d78e60703b5b7763b672d7403405612a400ec4449cce55f9de
docker pull langflowai/langflow:1.8.1
+21 more repos

Details

CISA KEV 2026-03-25
VulnCheck KEV 2026-03-19
ENISA EUVD EUVD-2026-13556
CWE
CWE-306 CWE-94 CWE-95
Status published
Products (4)
langflow/langflow 1.9.0 dev0 (12 CPE variants)
langflow/langflow < 1.8.2
langflow-ai/langflow < 1.9.0
pypi/langflow 0 - 1.9.0PyPI
Published Mar 20, 2026
KEV Added Mar 25, 2026
Tracked Since Mar 20, 2026