Langflow is a platform for building and deploying AI-powered agents and workflows. In versions before 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows unauthenticated users to build public flows. This endpoint accepts an optional data parameter that, if supplied, overrides the stored flow data with attacker-controlled input. The flow data includes node definitions that contain arbitrary Python code. The server passes this code directly to Python's exec() function without any sandboxing or validation, enabling remote code execution (RCE). This vulnerability is a result of improper control over code generation (CWE-94), improper input validation (CWE-95), and lack of authentication on a sensitive operation (CWE-306). Unlike a previous vulnerability (CVE-2025-3248) which fixed authentication on a different endpoint, this endpoint remains unauthenticated by design but incorrectly trusts attacker input. Exploiting this flaw allows an unauthenticated attacker to execute arbitrary Python code on the server hosting langflow, potentially leading to full system compromise. The vulnerability has been assigned CVE-2026-33017 and carries a CVSS 4.0 score of 9.3, reflecting its critical nature. The issue was resolved in langflow version 1.9.0 by presumably restricting or sanitizing input or requiring authentication. No public exploits have been observed yet, but the vulnerability is straightforward to exploit due to no authentication or user interaction requirements.

The vulnerability allows unauthenticated remote attackers to execute arbitrary Python code on servers running vulnerable versions of langflow. This can lead to complete system compromise, including data theft, destruction, or manipulation, installation of persistent backdoors, lateral movement within networks, and disruption of AI workflow services. Organizations using langflow to build or deploy AI agents are at risk of losing confidentiality, integrity, and availability of their systems and data. Since the endpoint is designed to be unauthenticated for public flows, it is likely exposed to the internet, increasing the attack surface. The impact is especially severe for organizations relying on langflow in production environments or those handling sensitive data. Additionally, attackers could leverage this vulnerability to pivot into internal networks or use compromised servers as a foothold for further attacks. The lack of known exploits in the wild currently reduces immediate risk, but the critical severity and ease of exploitation make this a high-priority issue to address.

1. Upgrade langflow to version 1.9.0 or later immediately to apply the official fix. 2. If upgrading is not immediately possible, restrict network access to the vulnerable endpoint by implementing firewall rules or API gateways that block unauthenticated access to /api/v1/build_public_tmp/{flow_id}/flow. 3. Implement runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block suspicious payloads containing Python code or exec() usage patterns. 4. Conduct thorough code audits and penetration testing focused on endpoints that accept code or workflow definitions to identify similar injection flaws. 5. Monitor logs for unusual activity related to the vulnerable endpoint, such as unexpected POST requests with data parameters containing code-like strings. 6. Employ network segmentation to isolate servers running langflow from critical infrastructure to limit lateral movement in case of compromise. 7. Educate developers and administrators about the risks of executing untrusted code and enforce secure coding practices, including sandboxing and strict input validation. 8. Consider deploying runtime monitoring tools that can detect anomalous process executions or unauthorized code execution attempts on langflow hosts.