VDB
CVE-2026-33017
CVE-2026-33017
PUBLISHED
KEV
CVSS 9.300000190734863 CRITICAL
Langflow is a tool for building and deploying AI-powered agents and workflows. The build_public_tmp endpoint is designed to be unauthenticated for public flows but incorrectly accepts attacker-supplied flow data. In versions prior to 1.9.0 CVE-2026-33017 allows an unauthenticated remote attacker to achieve remote code execution within full server process privileges. Exploitation requires the target Langflow instance to have at least one public flow. This is a common setup for demos, chatbots, shared workflows, etc. Security researchers reported this vulnerability is currently being actively exploited and targeted by scanning activity.
EPSS 23.98% · 96.1th percentile
Risk Scores
CVSS v4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
EPSS Score
23.98%
96.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Langflow | Langflow AI pipelines |
Timeline
- Jun 28, 2025 PoC Published
- Mar 17, 2026 CVE Published
- Mar 18, 2026 Security Advisory
- Mar 18, 2026 PoC Published
- Mar 20, 2026 EPSS Score
- Mar 20, 2026 PoC Published
- Mar 20, 2026 PoC Published
- Mar 20, 2026 PoC Published
- Mar 20, 2026 PoC Published
- Mar 20, 2026 PoC Published
- Mar 20, 2026 PoC Published
- Mar 20, 2026 PoC Published
References
- https://ccb.belgium.be/advisories/warning-critical-vulnerability-langflow-ai-pipelines-patch-immediately advisory
- https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx vendor
- https://nvd.nist.gov/vuln/detail/CVE-2026-33017 vendor
- https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours technical