# Langflow CVE-2026-33017 unauthenticated RCE exploited in wild

_Friday, June 26, 2026 at 4:39 PM EDT · Cybersecurity · Latest · Tier 2 — Notable_

![Langflow CVE-2026-33017 unauthenticated RCE exploited in wild — Primary](https://i0.wp.com/labs.cloudsecurityalliance.org/wp-content/uploads/2025/12/cropped-logo.png?fit=512%2C512&ssl=1)

CVE-2026-33017, a CVSS 9.3 unauthenticated remote code execution vulnerability in Langflow, was exploited in the wild within 20 hours of its March 17, 2026 disclosure. Attackers developed working exploits directly from the advisory description, without waiting for a public proof of concept. The vulnerability exists in the public flow build endpoint at POST /api/v1/build_public_tmp/{flow_id}/flow present in all versions through 1.8.1.

The endpoint accepts attacker-supplied flow data containing arbitrary Python code in node definitions. That code executes through a call chain ending in an unsandboxed exec call in src/lfx/src/lfx/custom/validate.py with no sandboxing, AST filtering, or privilege isolation. Sysdig Threat Research Team observed initial access through custom Python scripts that extracted /etc/passwd contents, followed by retrieval of next-stage malware from 173.212.205.251:8443 and harvesting of environment variables and credentials.

CISA added CVE-2026-33017 to its Known Exploited Vulnerabilities catalog on March 25, 2026, requiring federal agencies to remediate by April 8, 2026. This is the third Langflow critical remote code execution vulnerability added to the catalog since May 2025. The patch in Langflow 1.9.0 removes the data parameter from the public endpoint so that public flows execute only stored server-side flow data.

## Sources

- [Cloud Security Alliance](https://labs.cloudsecurityalliance.org/agentic/csa-research-note-agentic-framework-cves-20260328/)

---
Canonical: https://techandbusiness.org/newswire/WMYow9Ig064KslncDNknQG
Retrieved: 2026-06-27T01:01:26.716Z
Publisher: Tech & Business (techandbusiness.org)