3 matches found
Security Bulletin: Unauthenticated Session History Access via Public Flow Execution
Summary A session ID namespace bypass vulnerability existed in Langflow OSS' POST /api/v1/buildpublictmp/flowid/flow endpoint that allowed unauthenticated attackers to access chat history from other users' sessions. The endpoint accepted an inputs.session parameter that could override the session...
Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure
A critical security flaw impacting Langflow has come under active exploitation within 20 hours of public disclosure, highlighting the speed at which threat actors weaponize newly published vulnerabilities. The security defect, tracked as CVE-2026-33017 CVSS score: 9.3, is a case of missing...
CVE-2026-33017
Langflow CVE-2026-33017 describes unauthenticated remote code execution via the public build endpoint /api/v1/build_public_tmp/{flow_id}/flow on versions before 1.9.0. Attackers can supply attacker-controlled flow data containing arbitrary Python code; the flow build path passes this data into th...