THE U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a Langflow flaw to its Known Exploited Vulnerabilities (KEV) catalog, tracked as CVE-2026-33017 with a CVSS score of 9.3. Langflow is a popular tool for building agentic AI workflows, and CVE-2026-33017 is a critical flaw that allows attackers to execute arbitrary code without authentication via the public build endpoint, which accepts attacker‑supplied Python code inside node definitions and executes it using exec() without sandboxing.
The advisory notes that the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint can build public flows without authentication and, when the data parameter is supplied, uses attacker‑controlled flow data instead of stored data, leading to unauthenticated remote code execution. This follows a prior Langflow flaw added in May 2025, tracked as CVE-2025-3248 (CVSS 9.8), in which researchers from Horizon3[.]ai highlighted its exploitable nature.
CISA has ordered federal agencies to fix the vulnerability by 8 April 2026, and, according to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, agencies must address such vulnerabilities by the due date; experts also urge private organisations to review the KEV Catalog and address risks.