theinfosecnews
theinfosecnews
Subscribe to Daily Digest

CVE-2026-33017

CISA KEV

Published March 25, 2026 · Updated April 3, 2026

high

What This Means

# CVE-2026-33017: Langflow Unauthenticated Code Injection **What it is:** Langflow allows attackers to inject and execute arbitrary code when building public flows without authentication credentials. **Impact:** An unauthenticated attacker can execute code within the Langflow environment, potentially compromising the underlying system, accessing sensitive data, or pivoting to connected infrastructure. **Required actions:** - Identify all Langflow instances in your environment and their exposure (internal vs. public-facing). - Apply patches from Langflow immediately when available. - Restrict network access to Langflow deployment ports until patched. - Review logs for suspicious flow creation or execution activity. - Audit any flows created during the vulnerability window for malicious modifications.

Official Description+

Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication.

Affected Products

VendorProduct
LangflowLangflow

Patch Status

Patch by 2026-04-08

Recommended Actions

  1. Check if your systems use any of the affected products listed above.
  2. Apply vendor patches immediately if available.
  3. This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
  4. Monitor vendor advisories for updates and additional mitigations.
  5. Review logs for indicators of compromise related to CVE-2026-33017.

Related Coverage

Vvulnerability

CVE-2026-33017: Unauthenticated Code Injection in Langflow Exposes AI Pipeline Infrastructure

CVE-2026-33017 is an unauthenticated code injection vulnerability in Langflow that allows a remote attacker to execute arbitrary code through the public flow-building interface without credentials. Successful exploitation can result in credential theft, data exfiltration, and lateral movement into connected infrastructure. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog with a federal agency patch deadline of April 8, 2026.

CISA KEV·9d ago·3 min read