Critical Langflow RCE Vulnerability CVE-2026-33017 Exploited to Hijack AI Workflows
Summary
A critical unauthenticated remote code execution vulnerability (CVE-2026-33017, CVSS 9.3) in Langflow AI workflow platform versions up to 1.8.1 is being actively exploited. Attackers can execute arbitrary code by exploiting the build_public_tmp API endpoint without authentication. CISA has mandated federal agencies to patch by April 8, 2026.
Threat Analysis
CVE-2026-33017 is a critical code injection vulnerability in Langflow, an open-source AI workflow orchestration platform, affecting versions up to 1.8.1. The vulnerability exists in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, which processes attacker-controlled flow data without proper sandboxing, enabling unauthenticated remote code execution. If AUTO_LOGIN=true (the default configuration), an unauthenticated attacker can obtain a superuser token, create a public flow, and then exploit the vulnerability to execute arbitrary commands on the server. With a CVSS score of 9.3, this is classified as critical severity. CISA added it to the KEV catalog and set a remediation deadline of April 8, 2026 for federal agencies. Organizations should immediately upgrade to Langflow version 1.9.0 or later. If immediate patching is not possible, restrict network access to Langflow instances and disable public flow creation.