A critical security flaw in Langflow, tracked as CVE-2026-33017 with a CVSS score of 9.3, allows unauthenticated remote code execution through the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint when attacker‑controlled data is supplied. According to Langflow's advisory for the flaw, the endpoint builds public flows without requiring authentication and uses an attacker‑supplied data parameter containing arbitrary Python code in node definitions, which is then executed via exec() with no sandboxing.
The vulnerability affects all Langflow versions prior to and including 1.8.1 and has been addressed in development version 1.9.0.dev8. Security researcher Aviral Srivastava reported the flaw on 26 February 2026, and Sysdig observed exploitation in the wild within 20 hours of the advisory’s publication, on 17 March 2026. Exploitation could enable an attacker to run code with the server’s privileges, read environment variables, access or modify files, inject backdoors, or even obtain a reverse shell.
The rapid 20‑hour window from disclosure to first exploitation illustrates the accelerating attack cycle, with defenders urged to update to the patched version and audit exposed Langflow instances.