Langflow flaw exploited

Security researcher Aviral Srivastava reported the bug in late February and the Langflow advisory with a fix was publicly posted on March 17, 2026. (labs.cloudsecurityalliance.org) The flaw is in the build-public flow endpoint POST /api/v1/build_public_tmp/{flow_id}/flow where an attacker-supplied "data" payload is executed server-side via exec(), creating unauthenticated remote code execution given the endpoint's public design; the issue is tracked as CVE-2026-33017 with a CVSS v4 score of 9.3. (github.com) Threat teams observed exploitation attempts within about 20 hours of the advisory’s publication, with Sysdig’s threat research and multiple outlets reporting real-world probes and active exploitation shortly after March 17, 2026. (sysdig.com) Langflow releases and advisories show the maintainers pushed fixes, but security researchers at JFrog reported that packages reported as patched (1.8.2) remained exploitable in public PyPI and Docker images while the true fix landed in 1.9.0, creating a dangerous patching gap. (github.com) Exploitation requires the target to host at least one public flow and can let attackers read environment variables, steal API keys, write files or spawn shells under the Langflow process privileges, enabling lateral movement into connected cloud services. (fieldeffect.com) CISA added CVE-2026-33017 to its Known Exploited Vulnerabilities catalog on March 25, 2026 with a remediation due date of April 8, 2026 and advised applying vendor mitigations, following applicable guidance for cloud services, or discontinuing use if mitigations are unavailable. (cisa.gov)