Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com
← Back to Vulnerability Briefs

Critical Security Flaw in Langflow AI Tool Allows Remote Code Execution

A serious security flaw has been found in Langflow, a tool used to build AI-powered workflows. This flaw lets attackers run harmful code on systems using vulnerable versions, potentially leading to data theft or system misuse. Small organisations using Langflow should act quickly to protect themselves.

01 July 2026

Reference: CVE-2026-33017

1. What is being reported?

The vulnerability affects Langflow versions before 1.9.0. It allows anyone to send specially crafted data to a particular part of the software without needing to log in. This data can include harmful Python code that the system will run without restrictions, giving attackers control over the affected system.

2. What this means in plain English

If your organisation uses Langflow and has not updated to the fixed version, attackers could take over parts of your system remotely. This could lead to loss of data, unauthorised use of your computers, or other serious problems.

3. Could this affect a small business?

Small businesses or charities using Langflow for AI workflows and who have not updated to version 1.9.0 or later could be at risk. Organisations not using Langflow are not affected by this issue.

4. What to do now

  • Check if your organisation uses Langflow software for AI workflows.
  • If you do, confirm the version is 1.9.0 or later; if not, plan to update immediately.
  • Ask your IT provider to verify that no unauthorised access or unusual activity has occurred.
  • Consider restricting network access to Langflow endpoints until the update is applied.

5. Ask your IT provider

Can you confirm whether our Langflow software is updated to version 1.9.0 or later to protect against the recent remote code execution vulnerability?

6. Bottom line

Update Langflow to the latest version promptly to prevent attackers from running harmful code on your systems.

Information based on CISA KEV, NVD, and reputable security reporting.

Back to Vulnerability Briefs