Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint
Title source: cnaExploitation Summary
CVE-2026-33017 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2026. EIP tracks 24 public exploits from researchers including Diamorphine, adminlove520, z4yd3. A Nuclei detection template is also available.
AI-analyzed exploit summary This exploit targets a remote code execution (RCE) vulnerability in Langflow <1.9.0 by abusing the custom component creation API. It injects malicious Python code into a flow's node template, which executes a reverse shell when the flow is built.
Description
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
Exploits (24)
This exploit targets a remote code execution (RCE) vulnerability in Langflow <1.9.0 by abusing the custom component creation API. It injects malicious Python code into a flow's node template, which executes a reverse shell when the flow is built.
This repository contains a functional exploit for CVE-2026-33017, targeting Langflow <= 1.8.1. The exploit leverages unauthenticated API endpoints to create a public flow and inject malicious code, resulting in remote command execution via a reverse shell.
This repository contains a functional exploit for CVE-2026-33017, demonstrating unauthenticated remote code execution in Langflow via the /api/v1/build_public_tmp endpoint. The exploit crafts a malicious flow with embedded Python code that executes arbitrary commands on the target system.
The repository contains a functional exploit for CVE-2026-33017, an RCE vulnerability in Langflow's public flow build endpoint. The exploit leverages the ability to inject malicious custom components via the `data` parameter, leading to arbitrary code execution during the flow build process.
This repository contains a functional exploit for CVE-2026-33017, an unauthenticated RCE vulnerability in Langflow 1.8.1 and earlier. The exploit leverages the `/api/v1/build_public_tmp/{flow_id}/flow` endpoint to inject arbitrary Python code via crafted node configurations, executed via `exec()` without sandboxing.
This exploit targets an unauthenticated remote code execution vulnerability in Langflow <1.9.0 via the `/api/v1/build_public_tmp/{flow_id}/flow` endpoint. It injects malicious Python code into a custom component to establish a reverse shell on the target system.
This PoC exploits a remote code execution vulnerability in FireFlow's API by injecting malicious Python code via a crafted JSON payload. The exploit leverages a code execution field in the API to establish a reverse shell to the attacker's machine.
This repository contains a functional exploit for CVE-2026-33017, an unauthenticated remote code execution vulnerability in Langflow. The exploit leverages the `build_public_tmp` endpoint to execute arbitrary Python code via attacker-controlled flow data, resulting in a reverse shell.
This repository contains a functional exploit for CVE-2026-33017, demonstrating unauthenticated RCE in Langflow via a malicious CustomComponent payload. The PoC abuses the auto_login endpoint to obtain a token, creates a public flow, and triggers arbitrary command execution through the build endpoint.
This repository contains a functional exploit PoC for CVE-2026-33017, an unauthenticated remote code execution vulnerability in Langflow <= 1.8.1. The exploit leverages the `build_public_tmp` endpoint to inject malicious code via a CustomComponent node, which is executed unsandboxed by the server.
This repository provides a detailed technical writeup and step-by-step guide for exploiting CVE-2026-33017, an unauthenticated remote code execution vulnerability in Langflow < 1.9.0. It includes setup instructions, exploit code, and mitigation strategies.
This repository provides a detailed technical analysis of CVE-2026-33017, an unauthenticated remote code execution vulnerability in Langflow ≤ 1.8.2. The root cause is the unsafe use of `exec()` in the `/api/v1/build_public_tmp/{flow_id}/flow` endpoint, allowing arbitrary code execution.
This repository provides a fully functional lab environment for CVE-2026-33017, an unauthenticated RCE vulnerability in Langflow <= 1.8.1. It includes Docker configurations to deploy a vulnerable Langflow instance with additional misconfigurations for privilege escalation and lateral movement.
This repository contains a functional exploit PoC for CVE-2026-33017, targeting Langflow v1.8.1 with an unauthenticated RCE vulnerability. It includes a Docker-based lab environment, a Python exploit script, and detailed technical analysis of the vulnerability.
This repository contains a functional exploit for CVE-2026-33017, an unauthenticated remote code execution vulnerability in Langflow <= 1.8.2. The exploit leverages the `/api/v1/build_public_tmp/{flow_id}/flow` endpoint to inject arbitrary Python code, which is executed via `exec()` without sandboxing.
This repository contains a functional exploit for CVE-2026-33017, targeting Langflow <= 1.8.1. The exploit leverages unauthenticated API endpoints to create a malicious flow and execute arbitrary commands via a reverse shell payload.
This repository contains a functional exploit for CVE-2026-33017, an unauthenticated remote code execution vulnerability in Langflow <= 1.8.2. The exploit leverages the `/api/v1/build_public_tmp/{flow_id}/flow` endpoint to inject arbitrary Python code, which is executed via `exec()` without sandboxing.
This repository contains a functional exploit for CVE-2026-33017, targeting Langflow <= 1.8.1. The exploit leverages unauthenticated API endpoints to create a malicious flow and execute arbitrary commands via a reverse shell.
This repository contains a functional exploit PoC for CVE-2026-33017, an unauthenticated RCE vulnerability in Langflow 1.8.1. The PoC demonstrates code execution by submitting attacker-controlled component code to a public build endpoint and retrieving proof via the API.
This repository contains a functional Python exploit for CVE-2026-33017, targeting an unauthenticated RCE vulnerability in CTT Sovereign Echo. The exploit leverages a resonance gap in the flow builder endpoint to bypass sandboxing and execute arbitrary commands via an exec() sink.
This repository contains a functional exploit PoC for CVE-2026-33017, an unauthenticated remote code execution vulnerability in Langflow <= 1.8.1. The exploit leverages the `build_public_tmp` endpoint to inject arbitrary code via the `data` parameter, which is executed via `exec()` without sandboxing.
This repository contains a functional exploit for CVE-2026-33017, targeting Langflow <= 1.8.1. The exploit leverages unauthenticated RCE by crafting a malicious node template and sending it to the Langflow API, resulting in a reverse shell.
This repository contains a functional exploit for CVE-2026-33017, demonstrating unauthenticated remote code execution in Langflow via the /api/v1/build_public_tmp endpoint. The exploit crafts a malicious flow definition with embedded Python code that executes arbitrary commands on the target system.
Nuclei Templates (1)
http.favicon.hash:1727196746
References (8)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H