Langflow RCE Exploited

The official GitHub advisory identifies the vulnerable route as POST /api/v1/build_public_tmp/{flow_id}/flow and says attacker-supplied flow data passed into the build path can reach an unsandboxed exec() call. (github.com (github.com)) The flaw has been tracked as CVE‑2026‑33017 and reported with a critical severity rating (CVSS ~9.3) reflecting unauthenticated remote code execution risk on exposed Langflow instances. (securityweek.com (securityweek.com) ) The researcher who disclosed the bug published a writeup describing how the optional data parameter lets attacker-controlled node definitions reach the same exec() pipeline as a prior CVE, and said the fix was merged as PR #12160 after a February 25, 2026 report. (dev.to (dev.to)) Observed attack activity has included single HTTP POST requests containing malicious JSON that injects Python code into component definitions, automated scanning (Nuclei and custom scripts), and post‑compromise harvesting of API keys, cloud credentials and configuration files. (sysdig.com (sysdig.com) al-ice.ai (al-ice.ai)) Langflow’s default authentication behavior (LANGFLOW_AUTO_LOGIN=true in many installs) can let an unauthenticated client obtain a session token or create a public flow, removing prerequisites an attacker would otherwise need to exploit the build_public_tmp code path. (docs.langflow.org (docs.langflow.org) hashnode.com (aviraxroot.hashnode.dev)) Vendor and community guidance lists no single released patched version in the advisory but points to merged fixes (PR #12160) and emerging dev builds; interim mitigations explicitly recommended include removing the data parameter from the endpoint, disabling public‑flow building, setting LANGFLOW_AUTO_LOGIN=false, restricting network access to the endpoint, and rotating exposed API keys and credentials. (github.com (github.com) snyk.io (security.snyk.io) beyondmachines.net (beyondmachines.net))