Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure

2026-03-20

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

A critical unauthenticated remote code execution vulnerability (CVE-2026-33017, CVSS 9.3) in Langflow was actively exploited within 20 hours of public disclosure.

•The flaw in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows attackers to inject arbitrary Python code executed via exec() with no authentication required.
•All Langflow versions up to and including 1.8.1 are affected; a partial fix exists in development version 1.9.0.dev8.
•Attackers built working exploits directly from the advisory with no public PoC, harvesting credentials, environment variables, and .env file contents.
•Threat actors moved from automated scanning to custom Python scripts, delivering next-stage payloads from a remote IP address.
•

Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture