CVE-2026-33017: CWE-94: Improper Control of Generation of Code ('Code Injection') in langflow-ai langflow
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
AI Analysis
Technical Summary
Langflow, a tool for building AI-powered agents and workflows, had a critical code injection vulnerability (CWE-94) in versions before 1.9.0. The POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, intended for building public flows without authentication, improperly accepts an optional data parameter containing attacker-controlled flow definitions. These definitions include arbitrary Python code executed directly with exec() without any sandboxing or validation, enabling unauthenticated remote code execution. This vulnerability is distinct from CVE-2025-3248, which addressed authentication on a different endpoint. The issue was resolved in version 1.9.0.
Potential Impact
An unauthenticated attacker can execute arbitrary Python code on the server running langflow by sending crafted requests to the vulnerable endpoint. This leads to full remote code execution with no authentication required, posing a critical risk to confidentiality, integrity, and availability of the affected system. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade langflow to version 1.9.0 or later, where this vulnerability is fixed. Since the vulnerability is resolved in the official release, applying this update fully mitigates the risk. No additional workarounds or mitigations are indicated.
CVE-2026-33017: CWE-94: Improper Control of Generation of Code ('Code Injection') in langflow-ai langflow
Description
Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.
CVSS v4.0
Score 9.3critical
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Langflow, a tool for building AI-powered agents and workflows, had a critical code injection vulnerability (CWE-94) in versions before 1.9.0. The POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, intended for building public flows without authentication, improperly accepts an optional data parameter containing attacker-controlled flow definitions. These definitions include arbitrary Python code executed directly with exec() without any sandboxing or validation, enabling unauthenticated remote code execution. This vulnerability is distinct from CVE-2025-3248, which addressed authentication on a different endpoint. The issue was resolved in version 1.9.0.
Potential Impact
An unauthenticated attacker can execute arbitrary Python code on the server running langflow by sending crafted requests to the vulnerable endpoint. This leads to full remote code execution with no authentication required, posing a critical risk to confidentiality, integrity, and availability of the affected system. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade langflow to version 1.9.0 or later, where this vulnerability is fixed. Since the vulnerability is resolved in the official release, applying this update fully mitigates the risk. No additional workarounds or mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-17T17:22:14.666Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69bcda04e32a4fbe5f304681
Added to database: 3/20/2026, 5:24:20 AM
Last enriched: 5/22/2026, 3:05:44 PM
Last updated: 6/18/2026, 4:04:29 PM
Views: 231
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.