A critical unauthenticated remote code execution vulnerability in Langflow, the open-source AI workflow platform, is being actively exploited in the wild. CVE-2026-33017 carries a CVSS score of 9.3. If you run Langflow and it's exposed to the internet, stop reading and start patching. Here's the situation.
Who is affected
Every Langflow instance running version 1.8.1 or earlier with at least one public flow. That covers most production deployments, since public flows are how Langflow-powered chatbots work: users visit a URL, chat with a bot, and the flow executes server-side without authentication. When AUTO_LOGIN is set to true (the default configuration), even the public flow prerequisite disappears because an attacker can create one themselves.
Langflow has over 145,000 GitHub stars and is widely used for building AI agents and RAG pipelines. The blast radius here is real but bounded: organizations running Langflow behind a firewall or VPN with no public exposure are not directly vulnerable. If your instance is internet-facing, assume compromise until you can verify otherwise.
What happened
Security researcher Aviral Srivastava discovered the flaw on February 26, 2026 and reported it to Langflow. The advisory (GHSA-vwmf-pq79-vjvx) was published on GitHub on March 17, 2026 at 20:05 UTC.
Twenty hours later, Sysdig's Threat Research Team recorded the first exploitation attempts. No public proof-of-concept existed. Attackers reverse-engineered working exploits directly from the advisory text, which described the vulnerable endpoint and injection mechanism in enough detail to build a payload.
The vulnerability sits in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint. This endpoint is designed to let unauthenticated users build public flows. It accepts an optional data parameter. When that parameter is supplied, the server uses attacker-controlled flow data containing arbitrary Python code in node definitions instead of the stored flow from the database. That code gets passed to Python's exec() with zero sandboxing. One HTTP POST request with malicious Python in the JSON payload achieves immediate RCE with full server-process privileges.
Srivastava described exploitation as "extremely easy," noting it can be triggered with a single curl command.
Timeline of events
- Feb 26, 2026: Aviral Srivastava discovers and reports CVE-2026-33017 to Langflow
- Mar 17, 2026, 20:05 UTC: Advisory GHSA-vwmf-pq79-vjvx published on GitHub
- Mar 18, 2026, 16:04 UTC: First exploitation attempt observed by Sysdig (20 hours post-disclosure)