CISA adds actively exploited Langflow flaw to KEV as unauthenticated RCE risk grows

CISA has added CVE-2026-33017, a critical Langflow vulnerability, to its Known Exploited Vulnerabilities catalog after confirming active exploitation. The flaw affects Langflow, an open-source low-code platform used to build AI and large language model workflows, and it can let unauthenticated attackers execute arbitrary code through a public flow-building endpoint.

The risk is serious because the vulnerable endpoint does not require valid credentials. Langflow’s official advisory says the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint can accept attacker-controlled flow data, and that data can reach exec() without sandboxing, resulting in unauthenticated remote code execution.

CISA’s KEV entry raises the urgency even more. Once a flaw lands in the catalog, federal civilian agencies must either fix it by the deadline or stop using the affected product under Binding Operational Directive 22-01. For this Langflow issue, CISA set an April 8, 2026 remediation deadline.

What CVE-2026-33017 actually does

This vulnerability is not just a generic code injection bug. Langflow’s advisory says the problem sits in the public flow build feature, which is meant to stay unauthenticated for public flows, but incorrectly accepts attacker-supplied flow data instead of only using stored server-side data. That lets an attacker inject malicious Python code into node definitions and have the server execute it.

The weakness maps to several well-known security categories. Public records tie the issue to improper control of generated code, improper evaluation of injected directives, and missing authentication for a critical function. Those weaknesses explain why the bug carries such a high severity rating. NVD shows a CVSS 3.1 score of 9.8, while the GitHub CNA record rates it 9.3 under CVSS 4.0.

That combination makes Langflow deployments exposed to the internet especially risky. Because the platform often connects AI workflows to models, APIs, databases, and internal systems, a successful compromise could give an attacker a foothold inside sensitive automation pipelines. That impact is an inference based on Langflow’s role and the advisory’s confirmation of unauthenticated code execution.

Patch guidance and a version caveat

Langflow’s security advisory says the issue is fixed in version 1.9.0. NVD repeats that fixed-version guidance, which makes 1.9.0 the safest version target based on the current official records.

There is, however, one detail defenders should note. A public GitHub issue opened after release claims the flaw remained exploitable in Langflow 1.8.2 despite release notes suggesting otherwise. That claim came from a researcher report and not from CISA, so the clearest guidance remains to upgrade to 1.9.0 or later rather than relying on earlier partial fixes.

For organizations that cannot patch immediately, CISA’s usual KEV guidance applies. Agencies covered by BOD 22-01 must remediate by the deadline or discontinue use of the affected software until they can secure it properly. Private-sector organizations are not bound by that order, but the KEV listing still signals real-world attacker activity and a high patch priority.

Langflow vulnerability summary

What defenders should do now

• Upgrade Langflow to version 1.9.0 or later.
• Check whether any Langflow instance is exposed to the public internet. This is a sensible mitigation step based on the flaw’s unauthenticated nature.
• Review logs for suspicious requests to the public flow-building endpoint and related execution activity. This recommendation follows directly from the affected endpoint named in the advisory.
• If patching is not possible, follow CISA’s KEV remediation model and remove the product from service until you can apply a verified fix.

FAQ