CVE-2026-33017
Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint
In short
Langflow allows anyone to run arbitrary code on the server through a public endpoint by uploading malicious workflow definitions without needing to log in. An attacker can execute any command they want on the machine running Langflow.
Technical detail
The POST /api/v1/build_public_tmp/{flow_id}/flow endpoint in Langflow versions before 1.9.0 accepts an optional data parameter containing attacker-controlled flow definitions with arbitrary Python code in node definitions, which are executed via exec() without sandboxing. Authentication is not required for this public endpoint, enabling unauthenticated remote code execution. The vulnerability was fixed in version 1.9.0 by removing acceptance of attacker-supplied flow data at this endpoint.
Summary generated and translated by AI from the official description.
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.