AI Workflows Under Fire: Critical RCE and File Write Flaws Expose Langflow Servers
Ddos 
Security researchers have identified two severe vulnerabilities in Langflow, the popular visual framework for building AI-powered agents. The flaws, which include a “Critical” rated unauthenticated Remote Code Execution (RCE) and an Arbitrary File Write vulnerability, pose a significant risk to organizations deploying AI workflows.
Langflow is widely used by developers to turn complex AI logic into integrated tools for any application stack. However, these newly discovered architectural weaknesses could allow attackers to bypass security guards and gain full control over the host servers.
The most severe of the two, designated CVE-2026-33017 with a CVSS score of 9.3, resides in the platform’s public flow build endpoint.
Typically, public flows are designed to be accessible without authentication; however, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint contains a fatal design flaw. When an optional data parameter is provided, the system ignores the secure, stored flow data in the database and instead executes code supplied directly by the user.
Because this attacker-controlled data is passed to the Python exec() function without any sandboxing, an unauthorized user can run arbitrary code with the full privileges of the server process.
Potential Impact:
- Total Server Compromise: Attackers can read or write any file and execute system-level commands.
- Credential Theft: Exfiltration of sensitive environment variables, including API keys, database credentials, and cloud tokens.
- Persistent Access: Deployment of reverse shells and lateral movement within the local network.
The second vulnerability, CVE-2026-33309, carries a maximum CVSS score of 10. It stems from a defense-in-depth failure in how the platform handles file uploads through its v2 API.
While previous patches attempted to fix file-naming issues, the underlying LocalStorageService still lacks essential boundary containment checks. This allows an authenticated attacker to bypass the API’s path guards by manipulating the multipart Content-Disposition header.
By using naive path concatenation, the system can be tricked into writing files anywhere on the host system. An attacker could overwrite critical system files, inject malicious Python components, or even modify .ssh/authorized_keys to secure permanent RCE on the server.
Both vulnerabilities affect Langflow version 1.8.1 and all prior versions. Alarmingly, no official patched versions have been released at the time of this report.
Experts recommend immediate manual intervention for administrators:
- For CVE-2026-33017: Modify the build_public_tmp route to remove the data parameter entirely, forcing public flows to execute only from the validated database.
- For CVE-2026-33309: Implement strict sanitization of multipart filenames using pathlib to strip directory traversal characters (e.g., ..) and add canonical path containment checks.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
