COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-33017

CVE-2026-33017

Severity
high · on CISA KEV actively exploited
Source
CISA-KEV · kev
Published
2026-03-25
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-33017
⚡ RCE ⌖ exploited in the wild shame 65/100 rceexploited-in-wildauth-bypasssupply-chain

Langflow allows unauthenticated public flow creation via code injection, enabling attackers to bypass security controls.

Langflow's code injection vulnerability permits building public flows without authentication, bypassing security controls and exposing sensitive data to unauthorized users. DIB organizations must audit all Langflow integrations and enforce strict access controls to prevent unauthorized access to critical workflows.

Shame score — The vulnerability allows unauthenticated access to critical functionality, representing a significant security control bypass that could lead to data exposure.

Players implicated

Langflow · vendorLangflow · product

Description

Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication.

Affected FedRAMP products 0 in the catalog

No correlated FedRAMP products.