CVE-2026-33017: Langflow Code Injection Vulnerability
Detects exploitation of CVE-2026-33017, a code injection vulnerability in Langflow that allows unauthenticated or low-privileged attackers to execute arbitrary code via the Langflow API. The vulnerability stems from improper input validation (CWE-94/CWE-95) combined with missing authentication controls (CWE-306), enabling remote code execution against Langflow instances. This CVE is on the CISA KEV list, indicating active exploitation in the wild.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Langflow
- Product
- Langflow
Timeline
- Disclosed
- March 25, 2026
CVSS
What is CVE-2026-33017 CVE-2026-33017: Langflow Code Injection Vulnerability?
CVE-2026-33017: Langflow Code Injection Vulnerability (CVE-2026-33017) maps to the Initial Access and Execution and Privilege Escalation tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2026-33017: Langflow Code Injection Vulnerability, covering the data sources and telemetry it touches: DeviceNetworkEvents, CommonSecurityLog, W3CIISLog, AzureDiagnostics. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let LangflowPorts = dynamic([7860, 7861, 3000]);
let SuspiciousPaths = dynamic(["/api/v1/run", "/api/v1/process", "/api/v1/predict", "/api/v1/build"]);
let CodeInjectionPatterns = dynamic(["__import__", "exec(", "eval(", "os.system", "subprocess", "__builtins__", "compile(", "open(", "socket."]);
union DeviceNetworkEvents, CommonSecurityLog, W3CIISLog
| where TimeGenerated >= ago(24h)
| where (DestinationPort in (LangflowPorts) or cs-port in (LangflowPorts))
| where (cs-uri-stem has_any (SuspiciousPaths) or RequestURL has_any (SuspiciousPaths))
| extend RequestBody = coalesce(column_ifexists("RequestBody", ""), column_ifexists("cs-uri-query", ""))
| where RequestBody has_any (CodeInjectionPatterns)
| project TimeGenerated, SourceIP = coalesce(SourceIP, cIP, c-ip), DestinationIP = coalesce(DestinationIP, ""), RequestURL = coalesce(RequestURL, cs-uri-stem, ""), RequestBody, Method = coalesce(RequestMethod, cs-method, ""), StatusCode = coalesce(EventResultDetails, sc-status, "")
| extend RiskScore = case(
RequestBody has "__import__" and RequestBody has "os", 95,
RequestBody has "subprocess", 90,
RequestBody has "exec(" or RequestBody has "eval(", 85,
70)
| where RiskScore >= 70
| order by RiskScore descDetects HTTP requests to Langflow API endpoints containing Python code injection patterns indicative of CVE-2026-33017 exploitation. Monitors common Langflow ports and API paths for payloads using dangerous Python builtins.
Data Sources
Required Tables
False Positives
- Legitimate Langflow users submitting Python code components as part of normal workflow development
- Security researchers or penetration testers conducting authorized assessments against Langflow instances
- Automated integration tests that submit Python snippets to the Langflow API in a CI/CD pipeline
Sigma rule & cross-platform mapping
The detection logic for CVE-2026-33017: Langflow Code Injection Vulnerability (CVE-2026-33017) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2026-33017
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Langflow API Code Injection via /api/v1/run - OS Command Execution
Expected signal: Web server access log entry showing POST to /api/v1/run with a request body containing 'subprocess' and 'shell=True'. EDR should capture a child process (sh or bash) spawned by the Langflow Python/uvicorn process.
- Test 2Langflow Unauthenticated API Access Check - Missing Auth Bypass (CWE-306)
Expected signal: Web server access log showing a GET request to /api/v1/flows from an external IP with a 200 OK response and no Authorization header present.
- Test 3Langflow Code Injection via eval() - Python Builtin Abuse
Expected signal: HTTP POST request to /api/v1/process containing '__import__' and 'os.system' in the request body. File creation event for /tmp/pwned_cve_2026_33017.txt on the Langflow host. EDR should capture os.system call from the Python process.
- Test 4Langflow Reverse Shell Payload Simulation
Expected signal: Outbound TCP connection from the Langflow host to the attacker IP on port 4444. EDR process event showing /bin/sh spawned by uvicorn/gunicorn with stdin/stdout redirected to a socket. Network flow record of the connection in firewall or NDR logs.
Unlock Pro Content
Get the full detection package for CVE-2026-33017 including response playbook, investigation guide, and atomic red team tests.