langflow
Behoben in
1.2.1
1.9.0
CVE-2026-33309 represents a critical Remote Code Execution (RCE) vulnerability discovered in Langflow, a tool for building and deploying AI-powered agents and workflows. This flaw stems from a bypass of a prior patch intended to address CVE-2025-68478, leaving a fundamental architectural weakness unresolved. The vulnerability affects versions of Langflow up to 1.8.2 and can be exploited to achieve arbitrary file writes, potentially leading to complete system compromise. A fix is available in version 1.9.0.
The core of this vulnerability lies in the LocalStorageService component, which lacks proper boundary containment checks. This reliance on the HTTP-layer ValidatedFileName dependency creates a defense-in-depth failure. Attackers can exploit the /api/v2/files/ endpoint through a multipart upload filename bypass, effectively circumventing path-parameter guards. This allows for arbitrary file writing, meaning an attacker can write malicious files to the server, potentially overwriting critical system files or injecting malicious code. Successful exploitation could lead to complete system compromise, including data exfiltration, denial of service, and the execution of arbitrary commands with the privileges of the Langflow process. The impact is particularly severe given Langflow's role in building and deploying AI agents, which often handle sensitive data and interact with external systems.
CVE-2026-33309 was publicly disclosed on 2026-03-19. The vulnerability's severity is amplified by the bypass of a previous patch, indicating a deeper architectural flaw. While no public proof-of-concept (PoC) has been confirmed as of this writing, the ease of exploitation described in the vulnerability description suggests a high probability of PoC development and potential exploitation. The EPSS score is likely to be assessed as medium to high, reflecting the RCE nature and potential for widespread impact. Monitor CISA KEV for updates.
Organizations deploying Langflow for AI agent development and workflow automation are at significant risk. This includes teams using Langflow in production environments, particularly those with limited security controls or those relying on older, unpatched versions. Shared hosting environments where multiple users share the same Langflow instance are also at elevated risk, as a compromise of one user's environment could potentially impact others.
• python / server:
import os
import hashlib
def check_langflow_files(directory):
for filename in os.listdir(directory):
if filename.endswith('.pyc') or filename.endswith('.pyo'):
file_path = os.path.join(directory, filename)
try:
with open(file_path, 'rb') as f:
file_content = f.read()
md5_hash = hashlib.md5(file_content).hexdigest()
if 'malicious_string' in md5_hash:
print(f"Potential malicious file detected: {file_path}")
except Exception as e:
print(f"Error reading file: {file_path} - {e}")
# Example usage (replace with Langflow's data directory)
check_langflow_files('/path/to/langflow/data')• generic web:
curl -I 'http://your-langflow-server/api/v2/files/' | grep 'Content-Type:'• linux / server:
journalctl -u langflow -f | grep -i "error" -i "exception"disclosure
patch
Exploit-Status
EPSS
0.07% (22% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-33309 is to immediately upgrade Langflow to version 1.9.0 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds. Strictly validate all file uploads, implementing robust input sanitization and whitelisting of allowed filenames. Consider using a Web Application Firewall (WAF) with rules to block suspicious multipart upload requests, particularly those attempting to write files outside of designated directories. Monitor Langflow logs for unusual file creation or modification activity, focusing on the /api/v2/files/ endpoint. After upgrading, confirm the fix by attempting a file upload with a deliberately malicious filename and verifying that the upload is rejected.
Aktualisieren Sie Langflow auf Version 1.9.0 oder höher. Diese Version enthält eine Korrektur für die Arbitrary File Write-Schwachstelle. Das Update verhindert die Remote Code Execution (RCE) durch authentifizierte Angreifer.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33309 is a critical Remote Code Execution vulnerability in Langflow versions up to 1.8.2. It allows attackers to write arbitrary files, potentially leading to system compromise.
You are affected if you are using Langflow versions 1.2.0 through 1.8.2. Upgrade to 1.9.0 or later to mitigate the risk.
Upgrade Langflow to version 1.9.0 or later. As a temporary workaround, restrict access to the /api/v2/files/ endpoint and monitor system logs.
While no widespread exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a high probability of future attacks. Monitor your systems closely.
Refer to the Langflow project's official website and security advisories for the latest information and updates regarding CVE-2026-33309.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.