GitHub Advisory — Langflow public flow build RCE (CVE-2026-33017)
AI relevance: Langflow is deployed to build and operate LLM/RAG workflows, so unauthenticated code execution in its public build path turns exposed AI orchestration nodes into direct initial-access points.
- CVE-2026-33017 (CVSS 9.3) affects Langflow’s public flow build endpoint.
- The vulnerable route accepts unauthenticated requests and can process attacker-controlled flow node definitions.
- An attacker can inject Python payloads that execute on the Langflow host.
- Sysdig reports exploitation activity started roughly 20 hours after disclosure.
- Observed post-exploitation behavior included API key, cloud credential, and config harvesting.
- Internet-exposed Langflow instances are high risk because exploitation does not require prior account compromise.
- For AI teams, this is a reminder that "workflow builders" are production attack surface, not just developer tooling.
Why it matters
Langflow commonly sits near model endpoints, vector stores, and secret-bearing connectors. A pre-auth RCE in that layer gives attackers a fast path to data theft and lateral movement across AI infrastructure. The short time-to-exploit also shows that advisory publication alone is enough for rapid weaponization when vulnerable endpoints are reachable from the internet.
What to do
- Patch immediately: upgrade Langflow to a fixed version referenced in the advisory.
- Remove direct exposure: block public access to build/admin endpoints behind VPN, IP allowlists, or zero-trust access.
- Rotate potentially exposed secrets: API keys, cloud credentials, DB passwords, and tokens on affected hosts.
- Harden runtime isolation: run Langflow with least privilege, restricted egress, and container/AppArmor/SELinux constraints.
- Add detection: alert on suspicious requests to
/api/v1/build_public_tmp/and unusual outbound traffic from Langflow nodes.