CISA adds Langflow CVE-2026-33017 to KEV after active RCE exploitation

Photo by protect.computer (custom explainer graphic) on protect.computer

What happened

CISA added CVE-2026-33017 (Langflow Code Injection Vulnerability) to the Known Exploited Vulnerabilities (KEV) catalog on March 25, 2026, citing evidence of active exploitation.

Per the Langflow advisory, affected versions before 1.9.0 expose an unauthenticated public-flow build endpoint (POST /api/v1/build_public_tmp/{flow_id}/flow) that can execute attacker-supplied Python code. In practice, this can become unauthenticated remote code execution on internet-exposed Langflow instances.

NVD now reflects the KEV status and lists remediation guidance tied to CISA BOD 22-01 timelines for federal agencies.

Why this matters

Langflow is often connected to high-value secrets and systems (LLM API keys, cloud credentials, databases, internal services). If attackers get code execution in that environment, the impact can quickly go beyond one container or VM.

Because the vulnerable endpoint is intended for public-flow functionality, simply putting a login wall on everything may break existing workflows. Teams need to patch and re-validate exposure paths, not just rely on partial access controls.

How to check if you’re affected

Potentially affected systems/services

• Langflow deployments running versions prior to 1.9.0.
• Internet-exposed Langflow instances, especially those using public flows.
• Environments where Langflow has access to cloud/API/database secrets.

Concrete verification steps (10–20 minute triage)

1. Confirm version and upgrade state

   • Check your deployed Langflow version across production, staging, and demo/lab hosts.
   • Treat anything older than 1.9.0 as vulnerable until updated.

2. Check exposure of the vulnerable endpoint

   • Verify whether /api/v1/build_public_tmp/{flow_id}/flow is reachable from untrusted networks.
   • Confirm whether reverse proxies/WAF rules are actually restricting this route.

3. Review logs for suspicious POST activity

   • Hunt for unusual or repeated POST requests to /api/v1/build_public_tmp/.
   • Flag requests followed by abnormal process creation, shell execution, or outbound callbacks.

4. Assume secret exposure if compromise is suspected

   • Rotate API keys, tokens, DB credentials, and cloud secrets available to the Langflow runtime.
   • Invalidate long-lived credentials and review IAM activity for unauthorized use.

5. Contain and harden

   • Patch to a fixed version and verify endpoint behavior after deployment.
   • Restrict external access to Langflow behind authenticated gateways/network allowlists.
   • Segment Langflow from sensitive internal systems where possible.

Immediate defensive actions

• Prioritize patching vulnerable Langflow instances now, especially internet-facing nodes.
• If rapid patching is blocked, remove public exposure and apply strict temporary access controls.
• Conduct post-patch threat hunting for signs of credential theft and suspicious outbound traffic.

Sources

• https://www.cisa.gov/news-events/alerts/2026/03/25/cisa-adds-one-known-exploited-vulnerability-catalog
• https://github.com/langflow-ai/langflow/security/advisories/GHSA-vwmf-pq79-vjvx
• https://nvd.nist.gov/vuln/detail/CVE-2026-33017
• https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours

Bottom line

CVE-2026-33017 moved from advisory to KEV, which means defenders should treat it as active-risk exposure, not theoretical debt. If Langflow is exposed and unpatched, assume attackers can test and exploit it quickly.