CVE-2026-33017
CriticalSummary
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allowed building public flows without requiring authentication, leading to the possibility of remote code execution by unauthorized users.
Risk Assessment
Organizations may be exposed to remote code execution, which can lead to serious security breaches and data loss. Attackers can exploit this vulnerability to execute arbitrary code on the server.
Recommendation
It is recommended to update Langflow to version 1.9.0 or later to eliminate this vulnerability. A security audit of the application should also be conducted to identify other potential threats.
Original NVD description (English source)
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

