// Hacker Noon · 26 March 2026
CVE-2026-33017: Unauthenticated RCE in Langflow’s Public Flow Endpoint Explained
Langflow fixed an unauthenticated RCE (CVE-2025-3248) by adding auth to /api/v1/validate/code. But the public flow build endpoint (/api/v1/build_public_tmp) accepts the same attacker-controlled code through a different path and feeds it to the same unsandboxed exec(). One curl request, no credential...
Hacker Noon
@hacker-noon · aviral srivastava
hackernoon.com
Read Full Article at hackernoon.comHacker Noon@hacker-noon
Discussion 0
Loading
Got something to say?
or to join the conversation.