CVE-2026-33017 — AI Deep Analysis Summary

🚨 **Essence**: Langflow < 1.9.0 has a critical RCE flaw. The `/api/v1/build_public_tmp/{flow_id}/flow` endpoint accepts attacker-controlled flow data and passes it to `exec()`.…

🛡️ **Root Cause**: CWE-94 (Code Injection). The vulnerability stems from unsafe use of the `exec()` function.…

📦 **Affected**: Langflow versions **prior to 1.9.0**. Specifically, the `langflow-ai/langflow` product. If you are running an older version, you are at risk.

💻 **Attacker Capabilities**: Full Remote Code Execution (RCE). Privileges: Equivalent to the Langflow service user. Data: Can read/write files, exfiltrate data, or pivot to internal networks. No authentication required.

⚡ **Exploitation Threshold**: **LOW**. It is **Unauthenticated**. Attackers do not need login credentials. They just need network access to the `/api/v1/build_public_tmp/` endpoint.…

🔍 **Public Exploit**: **YES**. A Nuclei template is available on GitHub (projectdiscovery/nuclei-templates). Proof-of-Concept (PoC) involves submitting a manipulated flow JSON containing Python code.…

🔎 **Self-Check**: 1. Check your Langflow version (`< 1.9.0`). 2. Scan for the endpoint `/api/v1/build_public_tmp/`. 3. Use the provided Nuclei template to test for RCE. 4. Review logs for unexpected `exec()` calls.

✅ **Official Fix**: **YES**. Patched in **Langflow 1.9.0**. See GitHub Advisory GHSA-rvqx-wpfh-mfx7 and commit 73b6612. Upgrade immediately to the fixed version.

🚧 **No Patch Workaround**: 1. **Block Access**: Restrict network access to the `/api/v1/build_public_tmp/` endpoint via firewall/WAF. 2. **Disable Endpoint**: If possible, disable public flow building features. 3.…

🔥 **Urgency**: **CRITICAL**. Unauthenticated RCE is a top-tier threat. With public PoCs available, automated attacks are imminent. **Priority: Patch Immediately.** Do not wait.