Langflow CVE-2026-33017: Critical RCE Exploited Within 20 Hours of Disclosure

CVE-2026-33017 is a critical remote code execution vulnerability in Langflow, an open-source AI platform used for building AI agents and pipelines. The flaw exists in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, which allows building public flows without authentication. When an optional data parameter is supplied, the endpoint uses attacker-controlled flow data containing arbitrary Python code, which is then passed to exec() without sandboxing.

Affected Products: Langflow versions up to and including 1.8.1. Note: version 1.8.2 was initially reported as patched but remains vulnerable; the actual fix is in version 1.9.0.

Exploitation Status: Actively exploited. Exploitation attempts were observed within 20 hours of public disclosure on March 17, 2026. Attackers progressed through automated scanning, custom exploit scripts, and data harvesting phases. CISA added to KEV catalog on March 25, 2026, with federal deadline of April 8, 2026.

Impact: Successful exploitation allows arbitrary code execution with full server process privileges, enabling reading environment variables (including API keys for OpenAI, Anthropic, AWS), file system access, reverse shell deployment, and lateral movement to cloud accounts.

Recommended Mitigations: Upgrade to Langflow 1.9.0 or install langflow-nightly immediately. Audit and rotate all environment variables and API keys on exposed instances. Restrict network access to Langflow using firewall rules or reverse proxy with authentication. Monitor for outbound connections to unusual callback services.