CVE-2026-33017: Langflow | defend.network

What is CVE-2026-33017?

Langflow contains a code injection vulnerability that could allow building public flows without requiring authentication.

CVSS9.8 NVD 3.1

SeverityCRITICAL

Exploitation In the wild In CISA KEV

Triage statusActive Exploit

ActionPatch immediately

CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA Known Exploited Vulnerability

Langflow Code Injection Vulnerability

Added to KEV2026-03-25

Federal patch deadline2026-04-08

Known ransomware useUnknown

Affected product

Langflow

References

https://nvd.nist.gov/vuln/detail/CVE-2026-33017
https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Coverage on defend.network

Chinese APT in telecom backbone; Langflow zero-day exploited (2026-03-27)
Oracle Identity Manager, Langflow exploited; Trivy supply-chain worm (2026-03-21)

🤖 This CVE page is generated by defend.network from NVD, CISA KEV, EPSS, and our verified daily briefings. Severity and exploitation data come from official sources; always verify remediation steps against the official vendor advisory before acting in production.

What is CVE-2026-33017?

CISA Known Exploited Vulnerability

Affected product

References

Coverage on defend.network

Get Critical CVE Alerts