01 July 2026
Reference: CVE-2026-33017
1. What is being reported?
The vulnerability affects Langflow versions before 1.9.0. It allows anyone to send specially crafted data to a particular part of the software without needing to log in. This data can include harmful Python code that the system will run without restrictions, giving attackers control over the affected system.
2. What this means in plain English
If your organisation uses Langflow and has not updated to the fixed version, attackers could take over parts of your system remotely. This could lead to loss of data, unauthorised use of your computers, or other serious problems.
3. Could this affect a small business?
Small businesses or charities using Langflow for AI workflows and who have not updated to version 1.9.0 or later could be at risk. Organisations not using Langflow are not affected by this issue.
4. What to do now
- Check if your organisation uses Langflow software for AI workflows.
- If you do, confirm the version is 1.9.0 or later; if not, plan to update immediately.
- Ask your IT provider to verify that no unauthorised access or unusual activity has occurred.
- Consider restricting network access to Langflow endpoints until the update is applied.
5. Ask your IT provider
Can you confirm whether our Langflow software is updated to version 1.9.0 or later to protect against the recent remote code execution vulnerability?
6. Bottom line
Update Langflow to the latest version promptly to prevent attackers from running harmful code on your systems.
Information based on CISA KEV, NVD, and reputable security reporting.