TL;DR

CVE-2026-33017 — an unauthenticated remote code execution flaw in Langflow, the popular open-source visual builder for AI-agent / RAG pipelines. The public flow-build endpoint (build_public_tmp) executes user-controlled input inside a Python context with no authentication, so a single crafted HTTP request runs arbitrary code on any exposed instance. Rated CVSS 9.8 (critical) and added to CISA's Known Exploited Vulnerabilities (KEV) catalog; Sysdig honeypots saw exploitation ~20 hours after disclosure, built straight from the advisory text with no public PoC. Beware the incomplete fix: JFrog confirmed 1.8.2 is still exploitable — you must be on 1.9.0 (or langflow-nightly ≥ 1.9.0.dev18).

What happened

Langflow disclosed CVE-2026-33017 on 2026-03-17. The root cause is unsafe handling of user-controlled input in the public flow-build endpoint (build_public_tmp): the input is evaluated within a Python execution context without sufficient sanitization, giving an unauthenticated attacker arbitrary code execution with a single HTTP request and no credentials required.

Exploitation was nearly immediate. Per Sysdig's Threat Research Team, attackers began scanning for vulnerable instances roughly 20 hours after the advisory published, ran Python-based exploitation within ~21 hours, and started harvesting .env and .db files within ~24 hours. Observed post-exploitation included stealing AWS keys and deploying a NATS messaging worker as scalable C2 — a "SaaS-style" cybercrime pattern. CISA added the flaw to its KEV catalog (federal remediation deadline April 8, 2026).

Incomplete-fix warning: Langflow 1.8.2 was widely reported as the patched version, but JFrog Security Research confirmed 1.8.2 remains exploitable. Only 1.9.0 properly closes the hole. JFrog's testing showed langflow-nightly 1.9.0.dev18 effective as an interim mitigation; if you cannot upgrade cleanly, uninstalling Langflow until on 1.9.0+ is the safe move.

This is the same rapid-exploitation pattern as the PraisonAI auth bypass: AI-agent frameworks now get weaponized within hours-to-a-day of disclosure.

Am I affected?

# Check installed Langflow version (must be >= 1.9.0)
pip show langflow 2>/dev/null | grep -E '^(Name|Version):'

# Is a Langflow instance exposed on the network?
ss -tlnp 2>/dev/null | grep -E ':7860|:7861'   # default Langflow ports
ps eww | grep -i '[l]angflow'

If you ran a Langflow version before 1.9.0 reachable from anything other than localhost, assume compromise: check for unexpected outbound connections (NATS / unknown brokers), exfiltrated .env/.db files, and unfamiliar processes/workers.

IOCs

Type Value
CVE CVE-2026-33017
CVSS 9.8 (critical); CISA KEV-listed
Vulnerable endpoint public flow-build (build_public_tmp)
Affected versions all before 1.9.0 — 1.8.2 is NOT a complete fix
Fixed version langflow 1.9.0 (interim: langflow-nightly ≥ 1.9.0.dev18)
Post-exploit TTP AWS key theft; NATS worker as C2; .env/.db harvesting
Disclosure-to-exploit ~20 hours

If you are affected

playbooks/rotating-cloud-credentials.md — AWS keys first. → playbooks/if-you-installed-a-bad-npm-package.md — generic host-compromise triage (rotation logic applies to any RCE).

Prevention

prevention/agent-sandboxing.mdprevention/credential-hygiene.md → Never expose AI-agent / pipeline-builder dev servers to the public internet. Default-bind to 127.0.0.1, front with authenticated reverse proxy or a tunnel. Treat disclosure-to-exploit as < 24 hours for AI-agent frameworks and prioritize their security updates. Verify that a "patched" release actually fixes the issue — read the researcher follow-up (cf. the 1.8.2 incomplete fix here).

Sources