{"id":227966,"date":"2026-03-26T17:07:00","date_gmt":"2026-03-26T21:07:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/03\/26\/u-s-cisa-adds-a-langflow-flaw-to-its-known-exploited-vulnerabilities-catalog\/"},"modified":"2026-03-26T18:50:14","modified_gmt":"2026-03-26T22:50:14","slug":"u-s-cisa-adds-a-langflow-flaw-to-its-known-exploited-vulnerabilities-catalog","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/03\/26\/u-s-cisa-adds-a-langflow-flaw-to-its-known-exploited-vulnerabilities-catalog\/","title":{"rendered":"U.S. CISA adds a Langflow flaw to its Known Exploited Vulnerabilities catalog"},"content":{"rendered":"

U.S. CISA adds a Langflow flaw to its Known Exploited Vulnerabilities catalog<\/a><\/p>\n

https:\/\/securityaffairs.com\/190018\/security\/u-s-cisa-adds-a-langflow-flaw-to-its-known-exploited-vulnerabilities-catalog.html<\/a><\/p>\n

Publish Date: 2026-03-26 17:07:00<\/a><\/p>\n

Source Domain: securityaffairs.com<\/a><\/p>\n

U.S. CISA adds a Langflow flaw to its Known Exploited Vulnerabilities catalog<\/h2>\n<\/p>\n

\t\t\t\t\t\t\t Pierluigi Paganini<\/span>
\n\t\t\t\t\t\t\t\"\"\/ March 26, 2026<\/span><\/p>\n

\t\t\t\t\t\t\"\"\/<\/p>\n

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Langflow to its Known Exploited Vulnerabilities catalog.<\/h2>\n

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)\u00a0added\u00a0a Langflow flaw, tracked as CVE-2026-33017 (CVSS score of 9.3), to its\u00a0Known Exploited Vulnerabilities (KEV) catalog.<\/p>\n

Langflow\u00a0is a popular tool used for building agentic AI workflows.\u00a0<\/p>\n

CVE-2026-33017 is a critical flaw in Langflow (before v1.9.0) that allows attackers to execute arbitrary code without authentication. The public build endpoint accepts user-supplied data containing Python code, which is executed via exec() without sandboxing. This can lead to full system compromise.<\/p>\n

\u201cThe\u00a0POST \/api\/v1\/build_public_tmp\/{flow_id}\/flow\u00a0endpoint allows building public flows without requiring authentication. When the optional\u00a0data\u00a0parameter is supplied, the endpoint uses\u00a0attacker-controlled flow data\u00a0(containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to\u00a0exec()\u00a0with zero sandboxing, resulting in unauthenticated remote code execution.\u201d reads the advisory. \u201cThis is distinct from\u00a0CVE-2025-3248, which fixed\u00a0\/api\/v1\/validate\/code\u00a0by adding authentication. The\u00a0build_public_tmp\u00a0endpoint is\u00a0designed\u00a0to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code.\u201d<\/p>\n

According to\u00a0Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.<\/p>\n

Experts also recommend that private organizations review the\u00a0Catalog\u00a0and…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

U.S. CISA adds a Langflow flaw to its Known Exploited Vulnerabilities catalog https:\/\/securityaffairs.com\/190018\/security\/u-s-cisa-adds-a-langflow-flaw-to-its-known-exploited-vulnerabilities-catalog.html Publish Date:…<\/p>\n","protected":false},"author":1,"featured_media":227967,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityaffairs.com\/wp-content\/uploads\/2020\/07\/CISA.jpeg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,24],"class_list":["post-227966","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/227966"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=227966"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/227966\/revisions"}],"predecessor-version":[{"id":227968,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/227966\/revisions\/227968"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/227967"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=227966"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=227966"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=227966"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}