Critical Remote Code Execution in Langflow (CVE‑2026‑33017) Threatens LLM Workflow Platforms
What It Is — Langflow, an open‑source LLM workflow orchestration tool, contains a missing‑authentication and code‑injection flaw that allows unauthenticated attackers to execute arbitrary code on the host. The vulnerability is identified as CVE‑2026‑33017 with a CVSS 9.3 rating.
Exploitability — Public exploit code and active exploitation were observed within 20 hours of disclosure. No reliable proof‑of‑concept is required; a simple POST to /api/v1 can trigger RCE.
Affected Products — Langflow versions prior to 1.2.5 (the exact patched version not yet released) across all deployment models (self‑hosted, Docker, Kubernetes).
TPRM Impact — Organizations that embed Langflow in internal AI pipelines or expose it to third‑party developers face immediate supply‑chain risk. A compromised Langflow instance can be leveraged to pivot into adjacent services, exfiltrate data, or deploy ransomware.
Recommended Actions —
- Immediately isolate any Langflow instances from the internet and enforce network segmentation.
- Apply the vendor‑released patch (or upgrade to ≥ 1.2.5) as soon as it is available.
- Enforce authentication on all API endpoints and disable unauthenticated access.
- Conduct a rapid code‑review for custom extensions or plugins.
- Update third‑party risk registers to flag Langflow as a high‑risk component until remediation is confirmed.
Source: The Hacker News