PT-2026-25992 · Langflow · Langflow

Aviral2642

·

Published

2025-06-17

·

Updated

2026-07-12

·

CVE-2026-33017

CVSS v2.0

10

Critical

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.9.0
Description Langflow contains a flaw in the 'POST /api/v1/build public tmp/{flow id}/flow' endpoint that allows unauthenticated remote code execution. The endpoint is designed to build public flows without authentication, but it incorrectly accepts an optional data parameter. When this parameter is provided, the system uses attacker-controlled flow data containing arbitrary Python code in node definitions instead of the data stored in the database. This code is processed by the exec() function without sandboxing, allowing an attacker to execute shell commands and exfiltrate sensitive information such as API keys, database credentials, and cloud metadata tokens. Real-world incidents involve the Keyhunter botnet exploiting this issue to perform LLMjacking by stealing credentials for OpenAI, Anthropic, and AWS.
Recommendations Update Langflow to version 1.9.0. As a temporary mitigation, restrict access to the 'POST /api/v1/build public tmp/{flow id}/flow' endpoint or ensure the data parameter is not processed for unauthenticated requests.

Exploit

Fix

RCE

Missing Authentication

Code Injection

Eval Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-06918
CVE-2026-33017
GHSA-RVQX-WPFH-MFX7
GHSA-VWMF-PQ79-VJVX
PYSEC-2026-379

Affected Products

Langflow