A critical security vulnerability in the open-source AI workflow platform Langflow has been actively exploited by threat actors within a mere 20 hours of its public disclosure. This rapid weaponization underscores the alarming speed at which malicious actors can leverage newly published vulnerability details to launch attacks. The flaw, assigned CVE-2026-33017 with a high CVSS score of 9.3, represents a severe combination of missing authentication and code injection, ultimately leading to unauthenticated remote code execution (RCE).
According to the official advisory, the vulnerability resides in the `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint. This endpoint, designed to build public Langflow workflows, did not require any authentication. Crucially, when an optional `data` parameter was supplied in a request, the system would use this attacker-controlled data—which could contain arbitrary Python code within node definitions—instead of the legitimate flow data stored in the database. This user-supplied code was then passed directly to Python's `exec()` function without any sandboxing or security restrictions, granting attackers the ability to execute arbitrary commands on the underlying server. The flaw impacts all versions of Langflow up to and including version 1.8.1, with a fix available in the development version 1.9.0.dev8.
Security researcher Aviral Srivastava, who discovered and reported the flaw on February 26, 2026, clarified that CVE-2026-33017 is distinct from a previous critical Langflow bug, CVE-2025-3248 (CVSS score: 9.8). The earlier vulnerability abused the `/api/v1/validate/code` endpoint for unauthenticated code execution. Srivastava noted that while the two flaws are different, CVE-2026-33017 shares a common root cause: the unsafe use of the `exec()` function. He explained that the vulnerable endpoint's public nature made a simple authentication requirement an impractical fix, as it would break the core functionality of serving public workflows. The correct remediation, as implemented, was to entirely remove the optional `data` parameter from the public endpoint, forcing it to only execute pre-stored, server-side flow data.
The swift exploitation of CVE-2026-33017 mirrors the fate of the earlier CVE-2025-3248, which the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed is also under active attack. This pattern highlights a critical challenge in the vulnerability disclosure lifecycle. The window between public disclosure of a critical flaw and the onset of widespread attacks is shrinking dramatically, often to within a single day. For organizations using affected software, this creates immense pressure to apply patches or implement mitigations almost instantaneously to avoid compromise.
This incident serves as a stark reminder for developers and organizations, particularly in the rapidly evolving AI/ML tooling space. It emphasizes the critical importance of secure coding practices, such as rigorous input validation, principle of least privilege, and avoiding dangerous functions like `exec()` with user-supplied input. For security teams, it reinforces the need for robust asset inventory and patch management processes capable of responding to critical threats on an emergency timeline. The convergence of highly accessible AI platforms and rapidly weaponized vulnerabilities presents a significant and growing attack surface that requires vigilant defense.
