hypeorhack
← back

CVE-2026-33017

CRITICAL · 9.8 KEV EPSS 98.4%
hype LIKELY HACK · 82 hack

KEV+working PoC+vendor patch+confirmed Monero/credential theft campaigns offset some sensationalized framing.

What: Langflow unauthenticated remote code execution (CVE-2026-33017, CVSS 9.8) in the POST /api/v1/build_public_tmp endpoint—accepts attacker-supplied Python code executed without sandboxing in versions prior to 1.9.0.

Why it matters: KEV-listed as of 25 March 2026; confirmed in-the-wild exploitation documented by Sysdig TRT and Trend Micro, including Monero cryptominer deployment and AWS credential theft via KeyHunter botnet using NATS-as-C2. Vendor patched (1.9.0 released).

Where it's seen: Security research reports (Sysdig, Trend Micro, gbhackers) detailing active campaigns; multiple threat-intel posts citing IOCs and C2 infrastructure; social chatter mixing legitimate threat reports with marketing-inflected "AI gateway" framing.

RISK: CRITICAL — KEV-listed, CVSS 9.8, EPSS 0.98, unauthenticated RCE, active in-the-wild exploitation confirmed.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 6/23/2026, 2:09:37 PM

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

CVSS 3.1 breakdown

Exploitability 3.9 · Impact 5.9
vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack vector
Network
Complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected versions

  • langflow/langflow
    • < 1.8.2

Weaknesses

Vendors

  • langflow

Products

  • langflow

References

Third-party advisories · 4