CVE-2026-33017: Unauthenticated RCE in Langflow via build_public_tmp Endpoint
Executive Summary
Section titled “Executive Summary”Langflow, a popular framework for orchestrating AI agents and workflows, suffered a critical break in its security model. The vulnerability, tracked as CVE-2026-33017, allows an external, unauthenticated attacker to execute arbitrary Python code on the host server. By manipulating the data parameter of a specific public-facing endpoint, attackers can bypass the intended flow-loading logic and force the application to evaluate malicious payloads.
This flaw falls under CWE-94 (Improper Control of Generation of Code) and CWE-306 (Missing Authentication), resulting in a CVSS v3.1 score of 9.8. The ease of exploitation and the high-privileged nature of the execution environment make this a top-tier threat for organizations deploying Langflow for AI automation.
Technical Analysis
Section titled “Technical Analysis”The vulnerability resides in the implementation of the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint. This endpoint is designed to allow the construction of “public” flows, which inherently requires an unauthenticated state to fulfill its purpose.
The core failure occurs during the processing of flow data. The application expects to load flow definitions from its internal database based on the {flow_id}. However, the endpoint provides an optional data parameter. When this parameter is present, Langflow prioritizes this attacker-controlled input over the database record.
Internally, Langflow processes these “nodes” by evaluating the Python code contained within the node definitions to build the graph. Because the application uses exec() with zero sandboxing or validation of the input data, any Python code embedded in the data parameter is executed with the permissions of the Langflow process.
Exploitation Flow
Section titled “Exploitation Flow”The attack vector is straightforward and requires no credentials:
- Target Identification: The attacker identifies a Langflow instance running a version prior to 1.9.0.
- Payload Crafting: A JSON payload is constructed for the
dataparameter. This payload contains node definitions where the logic is replaced with a malicious Python script (e.g., a reverse shell or a credential exfiltration script). - Request Dispatch: The attacker sends a POST request to
/api/v1/build_public_tmp/[random_id]/flowcontaining the crafteddataobject. - Execution: The server receives the request, ignores the
flow_id(sincedatais provided), and passes the malicious Python snippet directly intoexec(). - RCE: The code executes on the server, granting the attacker full control over the environment.
Forensic Investigation
Section titled “Forensic Investigation”From a digital forensics and incident response (DFIR) perspective, this vulnerability leaves specific traces:
Log Analysis
Section titled “Log Analysis”Analyze HTTP server logs (Nginx, Apache, or Langflow internal logs) for:
- POST requests to
/api/v1/build_public_tmp/. - Unusually large request bodies for the
flowendpoint. - 200 OK responses to these requests from unknown external IPs.
Process Monitoring
Section titled “Process Monitoring”Check for anomalous child processes spawned by the Langflow process:
- Unexpected
/bin/sh,/bin/bash, orpythonsubprocesses. - Network connections initiated by the Langflow user to unfamiliar external IP addresses (C2 communication).
File System Integrity
Section titled “File System Integrity”Search for typical RCE artifacts:
- Unexpected files in
/tmpor/var/tmp. - Modification of
.bashrcor the addition of new SSH keys in~/.ssh/authorized_keys.
Detection
Section titled “Detection”Network Detection
Section titled “Network Detection”Deploy signatures to detect the specific endpoint usage combined with common Python execution keywords.
Snort/Suricata Rule Suggestion:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Langflow RCE attempt (CVE-2026-33017)"; content:"POST"; http_method; content:"/api/v1/build_public_tmp/"; http_uri; content:"__import__"; http_client_body; sid:1000001; rev:1;)
Threat Hunting (KQL/Splunk)
Section titled “Threat Hunting (KQL/Splunk)”Search for any POST activity on the vulnerable endpoint:
index=web_logs method=POST uri_path="*/api/v1/build_public_tmp/*/flow"
Mitigation
Section titled “Mitigation”- Immediate Update: Upgrade Langflow to version 1.9.0 or later. This release implements strict authentication and removes the dangerous trust in the
dataparameter for this endpoint. - Network Segmentation: Restrict access to the Langflow API to known internal IP addresses or a VPN.
- Runtime Protection: Employ a syscall monitor (like Falco) to detect and block unexpected process execution from the Langflow container.
- Least Privilege: Ensure Langflow is running as a non-privileged user in a containerized environment with a read-only root filesystem where possible.
Tools for Analysis
Section titled “Tools for Analysis”- Burp Suite: For intercepting and manipulating the
dataparameter. - Sysdig: For analyzing the runtime impact and container escape attempts.
- Grep/Ripgrep: For searching logs for the
/api/v1/build_public_tmp/pattern.
Sources
Section titled “Sources”- NVD: CVE-2026-33017
- GitHub Security Advisory: GHSA-vwmf-pq79-vjvx
- Technical Analysis by Aviral: Medium Article
- Sysdig Blog: Compromised Langflow Pipelines