If you’re running Langflow and updated to version 1.8.2 thinking you were safe from CVE-2026-33017, you’re not. JFrog Security Research confirmed that the version widely reported as patched is still fully exploitable. The actual fix landed in 1.9.0, and with the CISA KEV remediation deadline five days out on April 8, this matters right now.
The Vulnerability
CVE-2026-33017 (CVSS 9.3) is an unauthenticated remote code execution flaw in Langflow, the open-source platform used to build and deploy LLM-powered applications. The vulnerable endpoint is POST /api/v1/build_public_tmp/{flow_id}/flow, which is designed to let unauthenticated users build public flows.
The problem: when the optional data parameter is supplied, the endpoint uses attacker-controlled flow data instead of the stored flow from the database. That flow data can contain arbitrary Python code in node definitions, which gets passed straight to exec() with zero sandboxing.
One HTTP request. No credentials. Full code execution on the server.
Exploited in 20 Hours
Sysdig’s Threat Research Team observed the first exploitation attempts within 20 hours of the advisory’s publication on March 17, 2026 — before any public proof-of-concept existed. Attackers reverse-engineered working exploits directly from the advisory description and began scanning for exposed instances.
In observed attacks, the exploit chain exfiltrated cloud access keys, database credentials, and API tokens from compromised Langflow instances. For organizations using Langflow as part of their AI pipeline infrastructure, this means every secret accessible to the Langflow process should be considered compromised if the instance was exposed.
The Incomplete Fix
This is where it gets worse. Multiple sources, including vendor communications and security advisories, pointed to Langflow 1.8.2 as the patched version. JFrog tested both the PyPI package and the Docker image for 1.8.2 and successfully exploited the vulnerability on both.
The underlying issue is that 1.8.2 did not adequately address the root cause — the exec() call in the flow build path still accepts attacker-controlled input. JFrog opened an issue and pull request with full details, and the Langflow team confirmed that 1.9.0 is the correct patched version.
If your vulnerability scanner shows CVE-2026-33017 as remediated because you’re on 1.8.2, it’s wrong.
Who’s Affected
Anyone running Langflow versions prior to 1.9.0 with the build endpoint exposed to the network. This includes:
- Self-hosted Langflow instances accessible from the internet or an untrusted network
- Langflow deployments in Kubernetes clusters without proper network policies restricting access to the API
- Development and staging environments that often get less scrutiny but run with production credentials
- CI/CD pipelines that use Langflow for LLM workflow testing
Shodan and Censys queries for Langflow instances show a non-trivial number of exposed deployments, many running versions older than 1.8.x.
What To Do Right Now
If you can upgrade to 1.9.0, do it immediately. This is the only confirmed fixed release.
If you cannot upgrade yet, JFrog recommends uninstalling the current Langflow package and installing langflow-nightly instead. Testing confirmed that the mitigation in langflow-nightly 1.9.0.dev18 is effective:
| |
If neither is possible, restrict network access to the /api/v1/build_public_tmp/ endpoint immediately. A WAF rule or reverse proxy configuration blocking unauthenticated POST requests to that path will buy time.
Rotate credentials on any Langflow instance that was internet-exposed prior to patching. Assume API keys, database credentials, and cloud tokens accessible to the Langflow process have been exfiltrated.
CISA KEV Deadline
CISA added CVE-2026-33017 to the Known Exploited Vulnerabilities catalog on March 25, 2026. Federal Civilian Executive Branch agencies have until April 8, 2026 to apply fixes. Given that the “fix” many organizations applied is incomplete, FCEB agencies on 1.8.2 need to take action again before the deadline.
Timeline
- March 17, 2026 — Advisory published for CVE-2026-33017
- March 17-18, 2026 — First exploitation attempts observed in the wild (Sysdig)
- March 25, 2026 — CISA adds to KEV catalog, sets April 8 deadline
- Late March 2026 — JFrog confirms 1.8.2 is still vulnerable, discloses to Langflow
- March/April 2026 — Langflow 1.9.0 released with complete fix