Critical Remote Code Execution in Langflow (CVE‑2026‑33017) Threatens AI Workflow Platforms
What It Is — Langflow is an open‑source framework for building and executing agentic AI workflows. CVE‑2026‑33017 is a critical unauthenticated remote‑code‑execution flaw in the public build_public_tmp endpoint that runs attacker‑supplied Python via exec() with no sandboxing.
Exploitability — The vulnerability is actively exploited; CISA added it to its Known Exploited Vulnerabilities (KEV) catalog. CVSS 9.3 (Critical). Proof‑of‑concept code is publicly available.
Affected Products — Langflow versions < 1.9.0 (including default Docker images) across self‑hosted, cloud‑hosted, and SaaS‑wrapped deployments.
TPRM Impact — Any third‑party that incorporates Langflow into its services becomes a potential entry point for attackers, exposing customer data, credentials, and internal networks. The flaw can lead to full system compromise, lateral movement, and data exfiltration across supply‑chain relationships.
Recommended Actions —
- Upgrade all Langflow instances to ≥ 1.9.0 immediately.
- Enforce CISA’s remediation deadline (April 8 2026) for federal contracts and any downstream vendors.
- Block unauthenticated access to
/api/v1/build_public_tmp/*endpoints or restrict them to trusted IP ranges. - Conduct a comprehensive inventory of all internal and third‑party services that embed Langflow and verify they are patched.
- Perform code‑review of custom flow definitions and implement strict input validation/sandboxing for any user‑supplied code.
Source: SecurityAffairs article