CVE-2026-33017

Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.9.0 are affected.

Description Langflow is vulnerable to an unauthenticated remote code execution (RCE) vulnerability. The POST /api/v1/build public tmp/{flow id}/flow endpoint allows building public flows without authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data containing arbitrary Python code in node definitions instead of the stored flow data. This code is passed to exec() without sandboxing, resulting in unauthenticated RCE. This vulnerability has been actively exploited in the wild within 20 hours of disclosure, with attackers harvesting API keys and sensitive data. The /api/v1/build public tmp/{flow id}/flow endpoint is designed to be unauthenticated for public flows but incorrectly accepts attacker-supplied data.

Recommendations Update to version 1.9.0 or later. As a temporary workaround, block unauthenticated access to the /api/v1/build public tmp/{flow id}/flow endpoint or disable public flows. If the instance is exposed, set AUTO LOGIN=false.