Langflow · Langflow · CVE-2026-33017
**Name of the Vulnerable Software and Affected Versions**
Langflow versions prior to 1.9.0
**Description**
Langflow is a visual framework used to build and deploy AI-powered agents and workflows. A critical issue exists in the "POST /api/v1/build public tmp/{flow id}/flow" endpoint, which is designed to allow the building of public flows without authentication. When the optional `data` parameter is supplied, the endpoint incorrectly uses attacker-controlled flow data containing arbitrary Python code in node definitions instead of the stored data from the database. This code is passed to the `exec()` function without any sandboxing, leading to unauthenticated remote code execution (RCE).
Real-world exploitation has been observed, with attackers scanning for exposed instances and using the vulnerability to harvest sensitive information, including `.env` and `.db` files containing API keys for OpenAI, Anthropic, and AWS. Some attackers have utilized a NATS-based command-and-control (C2) infrastructure, referred to as the KeyHunter operation, to exfiltrate credentials and perform LLMjacking, which involves using stolen keys to access expensive AI models like Amazon Bedrock at the victim's expense.
**Recommendations**
Update Langflow to version 1.9.0.
As a temporary mitigation, remove the `data` parameter from the "/api/v1/build public tmp/{flow id}/flow" endpoint to ensure public flows only use stored database data.
Ensure that Langflow UI and API endpoints are not exposed to the public internet by using VPNs or zero-trust gateways.