Detect CVE-2026-33017: Langflow Code Injection Vulnerability in Splunk
Detects exploitation of CVE-2026-33017, a code injection vulnerability in Langflow that allows unauthenticated or low-privileged attackers to execute arbitrary code via the Langflow API. The vulnerability stems from improper input validation (CWE-94/CWE-95) combined with missing authentication controls (CWE-306), enabling remote code execution against Langflow instances. This CVE is on the CISA KEV list, indicating active exploitation in the wild.
MITRE ATT&CK
SPL Detection Query
index=web OR index=network OR index=proxy
(dest_port=7860 OR dest_port=7861 OR dest_port=3000)
(uri_path="/api/v1/run" OR uri_path="/api/v1/process" OR uri_path="/api/v1/predict" OR uri_path="/api/v1/build")
| eval request_body=coalesce(request_body, form_data, uri_query)
| search request_body IN ("*__import__*", "*exec(*", "*eval(*", "*os.system*", "*subprocess*", "*__builtins__*", "*compile(*", "*socket.*")
| eval risk_score=case(
match(request_body, "__import__.*os"), 95,
match(request_body, "subprocess"), 90,
match(request_body, "exec\\(|eval\\("), 85,
true(), 70)
| where risk_score >= 70
| stats count AS request_count, values(uri_path) AS endpoints, values(http_method) AS methods, max(risk_score) AS max_risk, earliest(_time) AS first_seen, latest(_time) AS last_seen BY src_ip, dest_ip
| where request_count >= 1
| eval severity=case(max_risk >= 90, "critical", max_risk >= 80, "high", true(), "medium")
| sort - max_riskDetects Langflow code injection attempts (CVE-2026-33017) by monitoring web/proxy logs for dangerous Python constructs in requests to Langflow API endpoints on standard Langflow ports.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate developers building or testing Langflow flows that contain Python code components
- Authorized red team exercises targeting Langflow infrastructure
- Langflow's own internal health check or test scripts that use Python builtins
Other platforms for CVE-2026-33017
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Langflow API Code Injection via /api/v1/run - OS Command Execution
Expected signal: Web server access log entry showing POST to /api/v1/run with a request body containing 'subprocess' and 'shell=True'. EDR should capture a child process (sh or bash) spawned by the Langflow Python/uvicorn process.
- Test 2Langflow Unauthenticated API Access Check - Missing Auth Bypass (CWE-306)
Expected signal: Web server access log showing a GET request to /api/v1/flows from an external IP with a 200 OK response and no Authorization header present.
- Test 3Langflow Code Injection via eval() - Python Builtin Abuse
Expected signal: HTTP POST request to /api/v1/process containing '__import__' and 'os.system' in the request body. File creation event for /tmp/pwned_cve_2026_33017.txt on the Langflow host. EDR should capture os.system call from the Python process.
- Test 4Langflow Reverse Shell Payload Simulation
Expected signal: Outbound TCP connection from the Langflow host to the attacker IP on port 4444. EDR process event showing /bin/sh spawned by uvicorn/gunicorn with stdin/stdout redirected to a socket. Network flow record of the connection in firewall or NDR logs.
Unlock Pro Content
Get the full detection package for CVE-2026-33017 including response playbook, investigation guide, and atomic red team tests.