CVE-2026-33017

Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.9.0

Description Langflow is a visual framework for building AI agents and workflows. A critical issue exists in the 'POST /api/v1/build public tmp/{flow id}/flow' endpoint, which allows the construction of public flows without authentication. When the optional data parameter is provided, the system uses attacker-controlled flow data containing arbitrary Python code in node definitions instead of the data stored in the database. This code is passed to the exec() function without sandboxing, leading to unauthenticated remote code execution (RCE).

Real-world exploitation has been observed, with attackers scanning for exposed instances and using the vulnerability to harvest sensitive information, including .env and .db files containing OpenAI, Anthropic, and AWS API keys. Some attackers have utilized a NATS-based command-and-control (C2) infrastructure, referred to as the KeyHunter operation, to exfiltrate credentials and perform LLMjacking, which involves using stolen keys to access expensive AI models like Amazon Bedrock at the victim's expense.

Recommendations Update Langflow to version 1.9.0. As a temporary workaround, restrict access to the Langflow UI and API endpoints by using a VPN or zero-trust gateway to ensure they are not exposed to the public internet.