"The vulnerability, CVE-2026-33017, carries a CVSS score of 9.3 and enables remote code execution without requiring any authentication. CISA added it to its Known Exploited Vulnerabilities catalog, meaning active exploitation has been confirmed."
"Exploitation using Python scripts followed within 21 hours, and data harvesting targeting .env and .db files began after 24 hours. No public proof-of-concept code existed at the time."
"The flaw resides in Langflow's public flow build endpoint. When an attacker supplies a crafted data parameter, the code is passed to Python's exec() function with zero sandboxing, enabling unauthenticated RCE via a single HTTP request."
"System administrators running Langflow should upgrade to version 1.9.0 or later, which addresses CVE-2026-33017."
CISA identified a critical vulnerability, CVE-2026-33017, in Langflow, an open-source framework for AI workflows, allowing remote code execution without authentication. The flaw has a CVSS score of 9.3 and was added to the Known Exploited Vulnerabilities catalog. Attackers began scanning for vulnerabilities within 20 hours of the advisory, with exploitation occurring shortly after. The vulnerability affects versions 1.8.1 and earlier, and system administrators are advised to upgrade to version 1.9.0 or later to mitigate risks.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]