Critical Langflow RCE in Public Flow Endpoint Exploited Immediately
A critical unauthenticated remote code execution flaw in Langflow, tracked as CVE-2026-33017, allows attackers to execute arbitrary Python code through the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint. The vulnerability affects Langflow versions prior to 1.9.0 and stems from the application's handling of the optional data parameter, which can carry attacker-controlled flow definitions that are passed to exec() without sandboxing. The issue is separate from the earlier CVE-2025-3248, which involved authentication on a different endpoint.
Security researchers reported exploitation beginning within 20 hours of public disclosure, with attackers scanning for exposed Langflow instances, stealing credentials and environment data, reading files including /etc/passwd, and attempting to fetch a follow-on payload from 173.212.205[.]251:8443. The flaw requires no privileges or user interaction and carries high impact across confidentiality, integrity, and availability, underscoring the risk to AI workflow platforms that often hold sensitive data and integration secrets.
Timeline
Mar 25, 2026
CISA adds CVE-2026-33017 to KEV catalog
CISA added Langflow flaw CVE-2026-33017 to its Known Exploited Vulnerabilities catalog on March 25, 2026, citing active exploitation in the wild. The agency directed Federal Civilian Executive Branch agencies to remediate by April 8, 2026, and advised organizations to apply updates or discontinue use if no verified fix is available.
Mar 24, 2026
Nuclei template with PoC detection is added for CVE-2026-33017
A pull request to ProjectDiscovery's nuclei-templates repository added a Nuclei template for CVE-2026-33017 targeting Langflow's unauthenticated /api/v1/build_public_tmp/{flow_id}/flow endpoint. After review flagged issues in the initial version, the template was updated with the correct affected version range, metadata, and a functional POST-based proof-of-concept detection method to verify code execution.
Mar 20, 2026
Attackers begin exploiting Langflow flaw within 20 hours
Within 20 hours of disclosure, attackers were observed actively exploiting CVE-2026-33017 against vulnerable Langflow instances. Sysdig reported scanning activity, theft of credentials and environment data, reading of files such as /etc/passwd, and attempts to fetch a next-stage payload from 173.212.205[.]251:8443.
Mar 20, 2026
CVE-2026-33017 is publicly disclosed
A critical Langflow vulnerability, CVE-2026-33017, was publicly disclosed as an unauthenticated remote code execution issue in POST /api/v1/build_public_tmp/{flow_id}/flow. The flaw allowed attacker-supplied flow data containing arbitrary Python code to reach exec() without sandboxing.
Mar 20, 2026
Langflow fixes CVE-2026-33017 in version 1.9.0
Langflow addressed a critical unauthenticated remote code execution flaw in the public flow build endpoint by releasing a fix in version 1.9.0. The vulnerability affected versions prior to 1.9.0, with reporting also noting development build 1.9.0.dev8 as containing the remediation.
Mar 17, 2026
CVE-2026-33017 is disclosed in Langflow advisory
Langflow publicly disclosed CVE-2026-33017 on March 17, 2026 as a critical unauthenticated remote code execution flaw in the public flow build endpoint. The issue allowed arbitrary Python code execution via a single HTTP request against vulnerable instances.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Malware
Organizations
Sources
5 more from sources like hackernoon, bleeping computer, nuclei templates pull requests, belgium ccb security advisories and scworld
Related Stories
Critical Flowise RCE Vulnerability CVE-2025-61913 Enables Arbitrary File Read and Write
A critical remote code execution vulnerability, tracked as CVE-2025-61913, has been identified in Flowise, a drag-and-drop user interface for building customized large language model flows. The flaw exists in versions prior to 3.0.8 and is caused by insufficient restrictions in the WriteFileTool and ReadFileTool components, which fail to properly validate file path access. This oversight allows authenticated attackers to read and write arbitrary files to any location on the file system, significantly increasing the risk of remote code execution. The vulnerability has been assigned a CVSS score of 10.0, indicating its maximum severity and potential for exploitation. According to security advisories, the issue can be exploited remotely, making it a high-priority concern for organizations using affected versions of Flowise. The vulnerability was publicly disclosed on October 8, 2025, and a security update was released in version 3.0.8 to address the issue. Attackers leveraging this flaw could gain unauthorized access to sensitive files, modify system configurations, or deploy malicious payloads, potentially leading to full system compromise. The vulnerability affects all installations of Flowise prior to the patched version, though the exact list of affected products and vendors has not been fully enumerated. Security researchers emphasize the critical nature of the flaw due to the ease of exploitation and the broad impact on confidentiality, integrity, and availability. Organizations are strongly advised to upgrade to Flowise version 3.0.8 or later to mitigate the risk. The vulnerability was reported through GitHub security advisories, highlighting the importance of monitoring open-source project disclosures. No evidence of active exploitation in the wild has been reported as of the disclosure date, but the public availability of technical details increases the urgency for remediation. The flaw underscores the risks associated with insufficient input validation in file handling components of web applications. Security teams should review their deployment of Flowise and apply the necessary patches without delay. In addition to patching, organizations should audit access logs for signs of suspicious file operations that could indicate attempted exploitation. The incident serves as a reminder of the critical need for secure coding practices and regular vulnerability assessments in software development.
1 months ago
High-Severity Flaws in Langflow and vLLM Expose Secrets and Enable RCE
Two high-severity vulnerabilities were disclosed in widely used AI application components, affecting **Langflow** and **vLLM**. In Langflow, `CVE-2026-33497` impacts versions before **1.7.1** and stems from improper filtering of `folder_name` and `file_name` in the `/profile_pictures/{folder_name}/{file_name}` endpoint. The path traversal flaw (`CWE-22`) allows unauthenticated attackers to read files across directories, including the application's `secret_key`, creating a direct risk of secret exposure and follow-on compromise. The issue is addressed in **Langflow 1.7.1** and tracked in GitHub advisory `GHSA-ph9w-r52h-28p7`. A separate flaw in vLLM, `CVE-2026-27893`, can lead to **remote code execution** by bypassing a user's attempt to disable remote code trust. In versions from **0.10.1** up to but not including **0.18.0**, two model implementation files hardcoded `trust_remote_code=True`, overriding the safer `--trust-remote-code=False` setting and allowing malicious model repositories to run code during model use. The vulnerability, classified as `CWE-693`, was patched in **vLLM 0.18.0**, underscoring supply-chain and configuration-bypass risks in AI infrastructure components.
1 months ago
Active Exploitation of Flowise CustomMCP RCE Exposes Thousands of Internet-Facing Instances
Threat actors are actively exploiting **CVE-2025-59528**, a **CVSS 10.0** remote code execution flaw in the open-source AI platform **Flowise**. The bug affects Flowise versions through **3.0.5** and stems from the `CustomMCP` node unsafely passing user-controlled input into JavaScript execution, allowing attackers with an API token to run arbitrary code with full **Node.js** runtime privileges. Researchers said the issue can be triggered remotely via a crafted HTTP `POST` request without user interaction, leading to operating system command execution, filesystem access, sensitive data theft, and full system compromise. Security researchers observed in-the-wild exploitation originating from a single **Starlink IP address**, while warning that roughly **12,000 to 15,000** internet-exposed Flowise instances sharply expand the attack surface for opportunistic attacks. Flowise disclosed the vulnerability in 2025, credited researcher **Kim SooHyun**, and patched the flaw in **version 3.0.6**. The incident marks the third Flowise vulnerability reported as exploited in the wild after **CVE-2025-8943** and **CVE-2025-26319**, increasing pressure on organizations to upgrade immediately and limit public exposure of Flowise APIs.
1 weeks ago