Langflow CVE-2026-33017: Critical RCE Exploited in 20 Hours — Patch Now

If you run Langflow anywhere that is reachable from the internet, stop reading and upgrade to version 1.9.0 right now. Come back after.

CVE-2026-33017 is a CVSS 9.3 unauthenticated remote code execution vulnerability in Langflow. It was disclosed on March 17, 2026. Attackers had working exploits within 20 hours — before any public proof-of-concept existed. API keys, database credentials, and environment variables are being exfiltrated from vulnerable instances right now.

What Langflow Is

Langflow is an open source visual framework for building AI agent pipelines and RAG (Retrieval-Augmented Generation) applications. You drag components onto a canvas — LLMs, vector databases, API connectors, custom Python code — and wire them together into a flow. It is popular among developers building AI applications who want a visual interface rather than writing orchestration code from scratch.

Because Langflow connects to databases, API keys, LLMs, and often production data sources, a compromised Langflow instance gives an attacker access to everything it touches.

The Vulnerability: What Is Actually Broken

The vulnerable endpoint is:

POST /api/v1/build_public_tmp/{flow_id}/flow

This endpoint exists to allow unauthenticated users to run public flows — flows that the owner has deliberately shared publicly. The design intent is reasonable: let users run a flow without requiring them to log in.

The implementation is not.

When an optional data parameter is supplied in the request body, the endpoint uses the attacker-supplied flow data instead of the stored flow from the database. That attacker-supplied data can contain arbitrary Python code in node definitions. The endpoint passes this code directly to Python's exec() function with zero sandboxing.

The result: an attacker sends a single HTTP POST request to any publicly accessible Langflow instance and executes arbitrary code as the Langflow process. No credentials. No prior access. No authentication of any kind.

The Exploitation Timeline

Sysdig's Threat Research Team observed the first exploitation attempts within 20 hours of the advisory's publication on March 17. No public proof-of-concept code existed at the time. Attackers reverse-engineered a working exploit directly from the advisory description.

The attack progression Sysdig observed:

Phase 1 (Hours 0-20): Four IP addresses began mass scanning the internet for exposed Langflow instances. All four delivered the same payload — reconnaissance to identify vulnerable targets.

Phase 2 (Hours 20-48): A fifth IP entered with more sophisticated behaviour — active reconnaissance using pre-staged infrastructure, identifying which targets had connected databases and API keys.

Phase 3 (Hours 48+): Targeted data exfiltration from identified victims. Custom scripts sent harvested data — API keys, environment variables, database credentials — to a command-and-control server. Six unique source IPs observed total.

The speed from disclosure to active exfiltration is notable. This was not a script kiddie running a public tool. The attackers understood the advisory well enough to build a working exploit faster than most organisations could patch.

What Gets Stolen

The data exfiltrated from compromised Langflow instances is particularly damaging because of what Langflow typically connects to:

• LLM API keys (OpenAI, Anthropic, Google) — an attacker with your API keys can run inference at your cost, access fine-tuned models, and potentially exfiltrate training data
• Vector database credentials (Pinecone, Weaviate, Chroma, pgvector) — your embedded knowledge base, documents, and proprietary data
• Database passwords — whatever databases Langflow connects to for RAG retrieval
• Environment variables — every secret stored in your deployment environment

If you ran a publicly accessible Langflow instance on versions 1.8.1 or earlier, treat all connected credentials as compromised until rotated.

How to Fix It

Step 1: Upgrade immediately

pip install langflow==1.9.0

Or if using Docker:

docker pull langflowai/langflow:1.9.0

Version 1.9.0 patches CVE-2026-33017 by removing the ability to supply external flow data to the build_public_tmp endpoint. The endpoint now only uses stored flow data from the database.

Step 2: Rotate all credentials

Even after patching, rotate everything your Langflow instance had access to:

• OpenAI, Anthropic, Google API keys
• Vector database credentials
• Any database passwords in environment variables
• Cloud provider credentials if Langflow ran with IAM permissions

Step 3: Audit for signs of compromise

Check your Langflow logs for POST requests to /api/v1/build_public_tmp/ with a body parameter. Check for unusual outbound network connections from your Langflow host. Check LLM API usage dashboards for unexpected spikes.

Step 4: Restrict network access

Even on a patched version, Langflow should not be directly exposed to the public internet unless you have a specific use case requiring it. Put it behind a reverse proxy with authentication (Nginx, Caddy, Traefik) or restrict access by IP.

Why This Keeps Happening

Langflow had a similar unauthenticated RCE vulnerability in 2024 (CVE-2024-37393) that was also exploited in the wild. The pattern is the same: a public endpoint designed for convenience that executes user-supplied code without adequate sandboxing.

AI application frameworks are a high-value target. They sit at the intersection of LLM API keys, proprietary data, and production infrastructure. A compromised Langflow instance is not just a compromised server — it is a compromised AI application with access to everything that application touches.

The speed of exploitation here — 20 hours with no public PoC — reflects how closely threat actors are monitoring AI tooling CVEs. If you run AI infrastructure tools in production, patch cadence matters more than it did two years ago.

Affected Versions and Patch Status

• Affected: All Langflow versions up to and including 1.8.1
• Fixed: Langflow 1.9.0 (released March 17, 2026)
• CVSS Score: 9.3 (Critical)
• CVE: CVE-2026-33017
• CWE: CWE-94 (Improper Control of Code Generation)

Key Takeaways

• CVE-2026-33017 is a CVSS 9.3 unauthenticated RCE in Langflow — no credentials needed, single HTTP request
• All versions up to 1.8.1 are vulnerable — upgrade to 1.9.0 immediately: pip install langflow==1.9.0
• Exploited within 20 hours of disclosure — before any public PoC existed, attackers reverse-engineered the exploit from the advisory
• Data being exfiltrated: LLM API keys, vector database credentials, database passwords, environment variables
• Attack has three phases: mass scanning → targeted reconnaissance → credential exfiltration
• Rotate all credentials connected to any Langflow instance running 1.8.1 or earlier — treat them as compromised
• Put Langflow behind auth even after patching — it should not be directly internet-accessible
• This is the second Langflow RCE in two years — CVE-2024-37393 had the same pattern