Breach report
Langflow: one unauthenticated POST turns an AI workflow builder into a shell
What happened
Langflow is a widely-used open-source builder for AI agent workflows (140K+ GitHub stars). It shipped a series of critical remote-code-execution flaws rooted in endpoints that run user-supplied code. CVE-2025-34291 (CVSS 9.4) centers on /api/v1/validate/code: it uses exec() on submitted code, and default-argument and decorator expressions execute immediately on validation — combined with permissive CORS and a SameSite=None refresh cookie, it enabled account takeover and RCE. An earlier related flaw, CVE-2025-3248, required no authentication at all and was exploited in the wild to spread the Flodric botnet. CVE-2026-33017 (CVSS 9.8) is an unauthenticated RCE via the public flow-build endpoint (POST /api/v1/build_public_tmp/{flow_id}/flow) affecting versions up to and including 1.8.2; it was disclosed March 17, 2026, weaponized within 20 hours, and used to deploy a Go loader and an XMRig Monero cryptominer across exposed servers, with roughly 7,000 Langflow instances internet-accessible at the time.
Root cause
The platform executes code that arrives over the network with insufficient authentication and no sandboxing (CWE-94, code injection). A validation or build endpoint that runs attacker-controlled Python is a shell by design; when it also skips authentication, anyone who can reach the port owns the host. "The workflow runs" was satisfied; "untrusted input never reaches an interpreter, and every dangerous endpoint requires auth" was not.
How it would have been caught
A test that sends a crafted request to the code/flow endpoint without credentials carrying a benign payload (write a marker file, resolve DNS) and asserts the side effect did not occur — red against the vulnerable build. An authentication test asserting the endpoint rejects unauthenticated callers catches the missing gate. Both are one-request reproductions.
How to prevent it
- Never execute user-supplied code without a real sandbox; strip default-arg/decorator execution paths and treat every model/flow input as untrusted.
- Require authentication on every endpoint, deny by default, and fix CORS/cookie settings that enable cross-origin token theft.
- Do not expose these platforms to the internet; front them with a VPN/firewall and patch immediately (Langflow 1.9.0+).
The Breachwire test (red → green)
Send an unauthenticated request to the code/flow-build endpoint with a payload that creates a marker file or makes an outbound DNS lookup, and confirm the side effect fires on the server — the RED proof of unauthenticated RCE. Upgrade to a patched version, add authentication and input sandboxing, then confirm the same request is rejected with no code execution, while legitimate authenticated flows still run.
Sources
- https://www.obsidiansecurity.com/blog/cve-2025-34291-critical-account-takeover-and-rce-vulnerability-in-the-langflow-ai-agent-workflow-platform
- https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours
- https://thehackernews.com/2026/06/langflow-rce-exploited-to-deploy-monero.html