CVE-2026-33017: How I Found an Unauthenticated RCE in Langflow by Reading the Code They Already Fixed

In early 2025, CISA added CVE-2025-3248 to their Known Exploited Vulnerabilities catalog. It was an unauthenticated remote code execution bug in Langflow, the popular open-source AI workflow builder with over 146,000 GitHub stars. The vulnerability was simple: the /api/v1/validate/code endpoint accepted arbitrary Python code and passed it to exec() without requiring authentication. Botnets were actively exploiting it. The fix was straightforward too. The Langflow team added an authentication check to the endpoint and moved on. I found the same class of vulnerability on a different endpoint. Same codebase. Same exec() call at the end of the chain. Same zero sandboxing. But this time, the fix isn't as simple as slapping an auth decorator on it, because the vulnerable endpoint is supposed to be unauthenticated. That's what makes this one interesting. The Target Langflow lets you build AI workflows visually by dragging and dropping components into a canvas. You wire them together, and Lang