A critical security flaw impacting Langflow has come under active exploitation within 20 hours of public disclosure, highlighting the speed at which threat actors weaponize newly published vulnerabilities.
The security defect, tracked as CVE-2026-33017 (CVSS score: 9.3), is a case of missing authentication combined with code injection that could result in remote code execution.
"The POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication," according to Langflow's advisory for the flaw.
"When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database.
This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution."
The vulnerability affects all versions of the open-source artificial intelligence (AI) platform prior to and including 1.8.1.
It has been currently addressed in the development version 1.9.0.dev8 .
Security researcher Aviral Srivastava, who discovered and reported the flaw on February 26, 2026, said it's distinct from CVE-2025-3248 (CVSS score: 9.8), another critical bug in Langflow that abused the /api/v1/validate/code endpoint to execute arbitrary Python code without requiring any authentication.