Breachwire.riscent

Breach report

Langflow: one unauthenticated POST turns an AI workflow builder into a shell

PWA & Startup BreachesCritical (CVSS 9.4 / 9.8)CVE-2025-34291, CVE-2026-330172026-03
The bottom lineLangflow, an open-source AI agent workflow builder, shipped endpoints that execute attacker-supplied code without authentication — CVE-2025-34291 (CVSS 9.4) and CVE-2026-33017 (CVSS 9.8), the latter weaponized within 20 hours of disclosure to deploy Monero cryptominers on exposed servers.
Category
PWA & Startup Breaches
Type
CVE · Unauthenticated RCE (AI agent platform)
Date
2026-03
Severity
Critical (CVSS 9.4 / 9.8)
OWASP
LLM05 Improper Output Handling
CWE / CVE
CWE-94 CVE-2025-34291, CVE-2026-33017

What happened

Langflow is a widely-used open-source builder for AI agent workflows (140K+ GitHub stars). It shipped a series of critical remote-code-execution flaws rooted in endpoints that run user-supplied code. CVE-2025-34291 (CVSS 9.4) centers on /api/v1/validate/code: it uses exec() on submitted code, and default-argument and decorator expressions execute immediately on validation — combined with permissive CORS and a SameSite=None refresh cookie, it enabled account takeover and RCE. An earlier related flaw, CVE-2025-3248, required no authentication at all and was exploited in the wild to spread the Flodric botnet. CVE-2026-33017 (CVSS 9.8) is an unauthenticated RCE via the public flow-build endpoint (POST /api/v1/build_public_tmp/{flow_id}/flow) affecting versions up to and including 1.8.2; it was disclosed March 17, 2026, weaponized within 20 hours, and used to deploy a Go loader and an XMRig Monero cryptominer across exposed servers, with roughly 7,000 Langflow instances internet-accessible at the time.

Root cause

The platform executes code that arrives over the network with insufficient authentication and no sandboxing (CWE-94, code injection). A validation or build endpoint that runs attacker-controlled Python is a shell by design; when it also skips authentication, anyone who can reach the port owns the host. "The workflow runs" was satisfied; "untrusted input never reaches an interpreter, and every dangerous endpoint requires auth" was not.

How it would have been caught

A test that sends a crafted request to the code/flow endpoint without credentials carrying a benign payload (write a marker file, resolve DNS) and asserts the side effect did not occur — red against the vulnerable build. An authentication test asserting the endpoint rejects unauthenticated callers catches the missing gate. Both are one-request reproductions.

How to prevent it

  • Never execute user-supplied code without a real sandbox; strip default-arg/decorator execution paths and treat every model/flow input as untrusted.
  • Require authentication on every endpoint, deny by default, and fix CORS/cookie settings that enable cross-origin token theft.
  • Do not expose these platforms to the internet; front them with a VPN/firewall and patch immediately (Langflow 1.9.0+).

The Breachwire test (red → green)

Send an unauthenticated request to the code/flow-build endpoint with a payload that creates a marker file or makes an outbound DNS lookup, and confirm the side effect fires on the server — the RED proof of unauthenticated RCE. Upgrade to a patched version, add authentication and input sandboxing, then confirm the same request is rejected with no code execution, while legitimate authenticated flows still run.