Langflow CVE-2026-33017 unauthenticated RCE exploited in wild

CVE-2026-33017, a CVSS 9.3 unauthenticated remote code execution vulnerability in Langflow, was exploited in the wild within 20 hours of its March 17, 2026 disclosure. Attackers developed working exploits directly from the advisory description, without waiting for a public proof of concept. The vulnerability exists in the public flow build endpoint at POST /api/v1/build_public_tmp/{flow_id}/flow present in all versions through 1.8.1. The endpoint accepts attacker-supplied flow data containing arbitrary Python code in node definitions. That code executes through a call chain ending in an unsandboxed exec call in src/lfx/src/lfx/custom/validate.py with no sandboxing, AST filtering, or privilege isolation. Sysdig Threat Research Team observed initial access through custom Python scripts that extracted /etc/passwd contents, followed CISA added CVE-2026-33017 to its Known Exploited Vulnerabilities catalog on March 25, 2026, requiring federal agencies to remediate