PT-2026-25992 · Langflow · Langflow
Aviral2642
·
Published
2025-06-17
·
Updated
2026-07-12
·
CVE-2026-33017
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Langflow versions prior to 1.9.0
Description
Langflow contains a flaw in the 'POST /api/v1/build public tmp/{flow id}/flow' endpoint that allows unauthenticated remote code execution. The endpoint is designed to build public flows without authentication, but it incorrectly accepts an optional
data parameter. When this parameter is provided, the system uses attacker-controlled flow data containing arbitrary Python code in node definitions instead of the data stored in the database. This code is processed by the exec() function without sandboxing, allowing an attacker to execute shell commands and exfiltrate sensitive information such as API keys, database credentials, and cloud metadata tokens. Real-world incidents involve the Keyhunter botnet exploiting this issue to perform LLMjacking by stealing credentials for OpenAI, Anthropic, and AWS.Recommendations
Update Langflow to version 1.9.0.
As a temporary mitigation, restrict access to the 'POST /api/v1/build public tmp/{flow id}/flow' endpoint or ensure the
data parameter is not processed for unauthenticated requests.Exploit
Fix
RCE
Missing Authentication
Code Injection
Eval Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Langflow