Unauthenticated RCE in Langflow build_public_tmp endpoint

This repository is a small, focused proof-of-concept exploit for CVE-2026-33017 affecting Langflow. It contains three files: a Python exploit script, a Dockerfile that builds a vulnerable Langflow 1.8.2 environment, and a README describing the vulnerability, attack chain, and usage. The main exploit file is CVE-2026-33017_POC.py, which uses the requests library and argparse for CLI handling. Exploit flow: the script accepts a target base URL and an arbitrary command. It first calls GET /api/v1/auto_login to obtain an access token without credentials, updates the session with an Authorization bearer token, and creates a PUBLIC flow via POST /api/v1/flows/. It then crafts a malicious flow definition containing a CustomComponent node whose code field embeds Python that executes __import__('os').system(command) at module evaluation time. The script submits this payload to POST /api/v1/build_public_tmp/{flowID}/flow, which is the vulnerable execution point. If requested with -d/--delete, it removes the created flow via DELETE /api/v1/flows/{flowID}. Main capability: unauthenticated remote code execution against vulnerable Langflow instances, with attacker-controlled OS command execution on the server. Secondary capability: cleanup of artifacts by deleting the temporary flow. The exploit is operational rather than just demonstrative because it performs the full attack chain end-to-end and supports arbitrary command input, but it does not include a more advanced staged payload or framework integration. The Dockerfile is intended for local reproduction/testing: it installs uv, creates a virtual environment, installs langflow==1.8.2, exposes port 7860, and runs Langflow bound to 0.0.0.0:7860. The README confirms affected versions (<= 1.8.2), fixed version (>= 1.9.0), required condition (auto-login enabled), and documents the exact endpoints and payload behavior. Overall, this is a genuine web/network exploit repository targeting Langflow's unsafe server-side evaluation of CustomComponent code combined with insecure auto-login behavior.

This repository is a small standalone Python proof-of-concept exploit for CVE-2026-33017 targeting Langflow <= 1.8.1. The repo contains one executable script (CVE-2026-33017.py), a README with usage instructions and a demo, and an MIT license. The exploit is not part of a larger framework. The script performs a full unauthenticated exploitation chain over HTTP(S): it normalizes a target URL (defaulting to http and port 7860), requests an access token from /api/v1/auto_login, uses that token to create a PUBLIC flow through /api/v1/flows/, and then submits a crafted node payload to /api/v1/build_public_tmp/{flow_id}/flow. The malicious payload injects Python code into a Langflow component template, which calls os.system() to execute a bash reverse shell command. That command connects back to the attacker-supplied --lhost and --lport using bash /dev/tcp redirection. Exploit capability is remote unauthenticated code execution with an interactive reverse shell if outbound connectivity is allowed from the target. The payload is basic but functional and operator-supplied via command-line arguments, making this more than a pure detection script but still a straightforward PoC/operational exploit rather than a heavily weaponized tool. The code includes minimal error handling, uses requests.Session for stateful HTTP interaction, and treats a timeout during the final request as a likely success condition because the reverse shell may block the HTTP response.

This repository is not a standalone exploit script but an intentionally vulnerable pentest lab named FlowBreaker. Its purpose is to emulate exploitation of CVE-2026-33017 against Langflow <= 1.8.1. The structure is small and clear: docker-compose.yml orchestrates three services; nginx/ contains a reverse proxy that routes langflow.hack to a benign landing page and dev.langflow.hack to the vulnerable Langflow backend; langflow/ builds the vulnerable container and adds post-exploitation paths; landing/ provides a decoy corporate website; scripts/ contains setup and reset automation. Main exploit capability: the lab exposes a web attack surface on dev.langflow.hack that proxies to Langflow 1.8.1 with LANGFLOW_AUTO_LOGIN=true, explicitly described as enabling unauthenticated RCE. Although no exploit code is included, the environment is designed so that successful RCE yields code execution as www-data inside the container. From there, the attacker can discover /opt/webapp/credentials.bak, access the generated user flag in /home/spydomain/user.txt, and use the configured SSH service on port 22 for lateral movement to the spydomain account. The container further grants CAP_SETUID to python3 binaries, enabling straightforward local privilege escalation to root and access to /root/root.txt. Notable implementation details: nginx blocks docs/admin/login/settings paths on the dev host, rewrites external links, and applies a CSP while still proxying the vulnerable app. The Langflow container installs utilities such as curl, netcat, socat, sqlite3, vim, and openssh-server, creates user spydomain with a known password, stores a credential backup hash, and starts sshd alongside Langflow. The entrypoint dynamically generates flags, ensures writable temp directories and SQLite DB paths, reapplies Python capabilities, and launches Langflow as www-data. Overall, this is an operational lab environment for practicing initial web exploitation, local enumeration, credential discovery, SSH pivoting, and privilege escalation rather than a repository containing the exploit implementation itself.

This repository is a self-contained pentest lab plus exploit PoC for CVE-2026-33017, an unauthenticated remote code execution flaw in Langflow <= 1.8.1. The repo is not part of a major exploit framework. Its main exploit logic is in poc.py, while the rest of the repository builds a Dockerized target environment that intentionally exposes a vulnerable Langflow instance behind nginx. Repository structure: poc.py is the primary exploit script; README.md, poc.txt, machine-info.md, and cve_2026_33017_analysis.md document the attack chain and vulnerability mechanics; docker-compose.yml orchestrates three services (nginx reverse proxy, vulnerable Langflow, and a landing page); langflow/Dockerfile and langflow/entrypoint.sh create the intentionally vulnerable host with SSH access, credential artifacts, and a privilege-escalation path; nginx/nginx.conf implements host-based routing between langflow.hack and dev.langflow.hack; landing/ contains a decoy corporate site with a hidden comment disclosing the dev subdomain; scripts/setup.sh and scripts/reset.sh build/reset the lab. Exploit capability: poc.py automates token acquisition via /api/v1/auto_login, enumerates existing flows or creates a new PUBLIC flow via /api/v1/flows/, then crafts malicious flow JSON containing a CustomComponent whose code field includes top-level Python execution. The payload uses `__import__('os').system(...)` so arbitrary shell commands run when the vulnerable backend processes the supplied flow data. The script supports single or multiple targets, threading, optional cleanup, and custom commands. This is a real exploit, not just a detector. Targeting and attack path: the intended target is Langflow 1.8.1 at dev.langflow.hack. The vulnerability is centered on the public flow build endpoint `/api/v1/build_public_tmp/{flow_id}/flow`, which improperly accepts attacker-controlled nested `data` and executes embedded Python during graph preparation. In the lab, successful exploitation yields code execution as www-data. Post-exploitation artifacts intentionally present in the container include `/opt/webapp/credentials.bak` or a referenced database backup for recovering the spydomain account, SSH access, and CAP_SETUID on python3 for root escalation. Notable endpoints and observables include the domains langflow.hack and dev.langflow.hack, Langflow API paths under /api/v1/, internal service port 7860, HTTP port 80, SSH-related configuration, and local file paths used for flags, credentials, and the SQLite database.

Small standalone Python exploit repository for CVE-2026-33017 targeting Langflow. The repo contains only three files: a .gitignore, a detailed README, and a single executable script exploit.py. The exploit is not part of a larger framework. The Python script is the clear entry point and implements end-to-end exploitation logic rather than just detection. Core purpose: exploit an unauthenticated code-injection/RCE flaw in Langflow’s public temporary flow build API. The script constructs a malicious flow payload with a CustomComponent node whose code field contains attacker-supplied Python. When submitted to POST /api/v1/build_public_tmp/{flow_id}/flow, the target compiles the graph and executes the embedded Python via exec(), yielding code execution in the server process. Capabilities visible from the README and script content include: target version probing via /api/v1/version, discovery of exploitable/public flows, optional abuse of AUTO_LOGIN to obtain a token and promote a private flow to PUBLIC, blind command execution, output exfiltration through attacker-controlled HTTP GET or POST callbacks, reverse shell support, loading arbitrary Python from a local payload file, and multithreaded bulk scanning from a targets file. The script also supports proxying through Burp and includes CLI handling, colored terminal output, and response handling for common HTTP statuses. Operationally, this is more than a proof-of-concept because it includes practical payload delivery and post-exploitation options, but it is still a standalone script with hardcoded exploit logic rather than a reusable framework module. No obvious destructive fake-exploit behavior is present. The main fingerprintable target endpoint is /api/v1/build_public_tmp/{flow_id}/flow, with /api/v1/version used for reconnaissance. The README also documents example attacker infrastructure endpoints and local files used for payloads and scanning.

This repository is a small standalone Python proof-of-concept exploit for CVE-2026-33017 affecting Langflow <= 1.8.1. The repository contains one executable script (CVE-2026-33017.py), a README with usage/example output, and an MIT license. The exploit is not part of a larger framework. The script performs a full unauthenticated exploitation chain over HTTP: it normalizes the target URL, requests an access token from /api/v1/auto_login, uses that token to create a PUBLIC flow via /api/v1/flows/, then submits a crafted node payload to /api/v1/build_public_tmp/{flow_id}/flow. The payload injects Python code into a component template field so that os.system() executes a bash reverse shell command. The reverse shell connects back to the attacker-supplied --lhost and --lport using bash /dev/tcp redirection. Structurally, the exploit is straightforward and operational: helper functions handle URL parsing and endpoint joining, dedicated functions implement token retrieval, flow creation, and exploitation, and main() wires CLI arguments to the attack flow. The exploit includes a hardcoded reverse-shell payload rather than a flexible payload framework, so it is best classified as OPERATIONAL rather than weaponized. The code clearly targets remote network/web exposure of Langflow's API and is intended to achieve immediate remote code execution with shell access on vulnerable instances.

This repository is a small standalone exploit project with 2 files: a README and a single Python script, exploit.py, which is the operational entry point. The exploit targets CVE-2026-33017 in Langflow, an unauthenticated remote code execution issue caused by attacker-controlled flow data being compiled and executed through Python exec() when submitted to the build_public_tmp flow-building API. The Python script is a CLI exploit tool rather than a simple detector. Based on the provided content and README, it performs several stages: target version probing via /api/v1/version, flow discovery, optional AUTO_LOGIN abuse to obtain a token and promote a private flow to PUBLIC, malicious flow construction, and delivery of that flow to POST /api/v1/build_public_tmp/{flow_id}/flow. The payload is embedded in a crafted Langflow CustomComponent node, specifically in the code field, so that attacker Python executes at module scope during graph compilation. Capabilities include: vulnerability checking, blind command execution, arbitrary Python execution from a local payload file, output exfiltration to attacker infrastructure via HTTP GET or POST callbacks, reverse shell support, proxy support, and multithreaded bulk scanning from a targets file. The exploit is therefore operational and more capable than a bare proof of concept, but it is still a standalone script rather than a framework-integrated weaponized module. Fingerprintable targets and infrastructure visible in the repository include the vulnerable Langflow endpoint POST /api/v1/build_public_tmp/{flow_id}/flow, the version endpoint /api/v1/version, example target hosts on port 7860, attacker callback/listener URLs on port 8080, and a reverse shell listener on port 4444. The README also references sensitive file access such as /etc/shadow to illustrate post-exploitation impact. Overall, the repository's purpose is to provide an end-to-end exploit for unauthenticated RCE against vulnerable Langflow deployments, including reconnaissance, exploitation, optional privilege of access escalation within the application workflow via AUTO_LOGIN flow promotion, and multiple post-exploitation output channels.

This repository is a small standalone Python proof-of-concept exploit for CVE-2026-33017 affecting Langflow, with only three files: the exploit script, a README, and a license. The main file, CVE-2026-33017.py, uses requests and argparse to automate exploitation over HTTP. It normalizes a target URL, defaults to port 7860, retrieves an access token from /api/v1/auto_login, creates a PUBLIC flow through /api/v1/flows/, and then submits a crafted node payload to /api/v1/build_public_tmp/{flow_id}/flow. The payload injects Python code into a Langflow component template so that os.system executes a bash reverse shell command back to the attacker. The exploit is operational rather than a simple detector because it delivers a working payload and aims to obtain interactive shell access. The README confirms intended targeting of Langflow <= 1.8.1 and demonstrates usage against a Dockerized instance with a netcat listener. No framework affiliation is present; this is a direct standalone exploit script.

This repository is a compact two-file exploit PoC for CVE-2026-33017 in Langflow. The README documents the vulnerability: the public build endpoint /api/v1/build_public_tmp/{flow_id}/flow improperly accepted attacker-supplied flow data, allowing malicious CustomComponent Python code to be compiled/executed during flow build. The only code file, exploit.py, is a standalone Python exploit that automates targeting and payload delivery. Repository structure is minimal: README.md provides vulnerability background, affected versions, patch behavior, and screenshots; exploit.py contains the full exploit workflow. The script first determines a local IP address, starts a TCP listener on 0.0.0.0:4444 by default, and constructs a base64-wrapped bash reverse shell command. It then targets the Langflow instance supplied via --url. If a flow ID is not provided, it attempts to obtain a token from /api/v1/auto_login, enumerate PUBLIC flows via /api/v1/flows/, and if necessary create a new PUBLIC flow via the same API. Finally, it POSTs a crafted flow definition to /api/v1/build_public_tmp/{flow_id}/flow. The exploit capability is true RCE, not just detection. The payload is embedded as Python source in a malicious CustomComponent template. That code imports os and immediately executes os.system(command) during component handling/build, before any normal flow execution is needed. The command launches a reverse shell back to the attacker. The script also includes a simple interactive shell handler that pipes socket data to stdout and stdin back to the remote shell. Overall, this is an operational PoC exploit for vulnerable Langflow deployments, focused on exploiting unsafe handling of externally supplied public-flow data to achieve server-side code execution and an interactive reverse shell.

This repository is a small standalone proof-of-concept exploit consisting of one Python script and one README. The main file, CVE-2026-33017.py, targets Langflow and automates exploitation of CVE-2026-33017 by chaining three API interactions: it first requests an access token from /api/v1/auto_login, then creates a PUBLIC flow via /api/v1/flows/, and finally submits a crafted flow definition to /api/v1/build_public_tmp/{flow_id}/flow. The malicious flow embeds attacker-controlled Python source code inside a CustomComponent template, relying on the vulnerable server behavior to exec() that code during flow build processing. The exploit is operational rather than a mere detector: it delivers executable Python payload code to the target. The included payload is a verification payload, not a full shell, but it demonstrates arbitrary code execution by running the id command, collecting the hostname, and writing the result to /tmp/PoC_RCE on the target container/server. Because the payload is embedded as a Python string, it could be modified for broader post-exploitation actions. Repository structure is minimal: README.md documents the vulnerability, affected endpoint, usage, and references; CVE-2026-33017.py is the only code file and clear entry point. No framework affiliation is evident. The attack vector is remote web/network exploitation against exposed Langflow HTTP API endpoints. The exploit assumes the target is vulnerable and that the auto-login and public flow creation/build workflow is accessible as implemented by the affected Langflow version.

This repository is a small, self-contained lab for reproducing CVE-2026-33017 against Langflow. It contains 5 files: documentation (README.md), environment orchestration (docker-compose.yml), a vulnerable image definition (vuln/Dockerfile), and the main exploit proof-of-concept (poc/poc.py). The Docker setup launches an official Langflow 1.8.1 image with LANGFLOW_AUTO_LOGIN enabled and exposes it locally on port 7861. The main exploit logic is in poc/poc.py. The script performs a full exploitation workflow over HTTP: it waits for the target to become ready by querying /api/v1/version, obtains a token from /api/v1/auto_login, creates a PUBLIC flow via /api/v1/flows/, then submits a crafted flow payload containing attacker-controlled Python code as a custom component. That code is designed as a least-harm proof payload: it executes local commands (id, whoami), gathers runtime metadata (hostname, cwd, Python version), and returns the results in a Langflow Data object. The script then starts the public build process, receives a job_id, polls the build events API, and parses the returned event data to recover the proof object. Raw event output is also written to the artifacts directory for debugging. The exploit capability demonstrated is unauthenticated remote code execution in the target Langflow server context, contingent on the exposed public build path and auto-login behavior. This is not merely a detector: it actively causes server-side execution of supplied Python code and retrieves the results through the application’s own API. The payload is basic and hardcoded for proof, with no persistence, shell, or callback behavior, so the maturity is best classified as OPERATIONAL rather than weaponized. Repository purpose: provide a reproducible local lab and PoC for validating vulnerable behavior in Langflow 1.8.1 using real upstream artifacts only. The structure is minimal and focused on reproduction, observation, and documentation rather than post-exploitation.

This repository is a small standalone Python exploit PoC consisting of one exploit script and one README. The main file, CTTSovereign_RCE_33017.py, is a command-line tool that accepts a target URL, a flow_id, and an arbitrary command to execute. Despite extensive pseudo-scientific terminology, the practical behavior is straightforward: it builds a JSON object containing attacker-controlled code and attempts to send it to a Langflow API endpoint associated with public temporary flow building. The injected payload is Python code of the form `import os; os.system('<command>')`, indicating the exploit’s goal is unauthenticated remote command execution. The script uses the requests library, creates a persistent session, and explicitly disables TLS certificate verification and related warnings. It includes helper methods to derive a so-called resonant phase from the provided flow_id, but this appears to be cosmetic or obfuscatory logic used to populate metadata fields in the JSON payload rather than a necessary exploitation primitive. The core exploit capability is the generation of a malicious `data.nodes[0].data.code` field intended to reach a server-side exec sink. Repository structure is minimal: README.md describes the target as Langflow 1.8.1 or earlier and names CVE-2026-33017, while the Python script implements the actual exploit flow. Based on the available content, this is not a framework module and not merely a detector; it is an operational PoC for network-based RCE against a remotely exposed Langflow instance, contingent on the claimed vulnerable endpoint being present and unauthenticated.

This repository is a small standalone Python proof-of-concept exploit for CVE-2026-33017 affecting Langflow 1.8.1 and earlier. The repository contains one code file (cve-2026-33017.py), a README describing the vulnerability and usage, a license, and a standard Python .gitignore. The exploit targets Langflow's public flow build functionality. Its core behavior is to send a crafted POST request to /api/v1/build_public_tmp/{flow_id}/flow with attacker-controlled flow data. Inside that JSON, the script places arbitrary Python source into a node template field named 'code'. Per the README and exploit logic, this code is later executed by the target application, resulting in remote code execution. The script supports two main modes: arbitrary command execution and reverse shell delivery. In command mode, it wraps a user-supplied command in Python code that calls os.system(). In reverse-shell mode, it injects Python that runs a bash one-liner using /dev/tcp/<lhost>/<lport> to connect back to the attacker. The payload also includes minimal Langflow component class definitions so the malicious node appears structurally valid to the target. There are three main functions in the exploit flow. create_flow() builds a base URL, requests /api/v1/auto_login to obtain an access token, then uses that token to POST to /api/v1/flows/ and create a new PUBLIC flow. exploit() sends the malicious build request to the vulnerable build_public_tmp endpoint. run_reverse_shell() prepares the reverse-shell payload and passes it to exploit(). The main() function parses CLI arguments and decides whether to create a flow automatically or use a provided flow ID. Notable implementation details: the script defaults to HTTP on port 7860, uses requests.Session(), and assumes AUTO_LOGIN may be enabled to bootstrap exploitation without prior credentials. The README states that if a public flow UUID is already known, authentication is unnecessary; otherwise, AUTO_LOGIN can be abused to create one. There is a minor coding bug where the script checks args.flow_id but then assigns flow_id = args.id, which may break the user-supplied flow ID path. Despite that, the repository is clearly a real exploit PoC rather than a detector or fake sample.

Repository contains a Python proof-of-concept exploit and a README documenting CVE-2026-33017, an unauthenticated RCE in Langflow <= 1.8.1. The main file, poc.py, is a standalone Python script that targets the public flow build functionality. It supports single-target and bulk modes, multithreaded execution, optional cleanup, and two exploitation paths: obtaining an anonymous JWT through /api/v1/auto_login to create or discover a PUBLIC flow, or directly using a known public flow UUID. The exploit constructs attacker-controlled flow JSON containing a CustomComponent whose `code` field embeds Python that executes `os.system()` at module scope during graph compilation. It then submits this payload to POST /api/v1/build_public_tmp/{flow_id}/flow to trigger execution. The script also includes helper logic to list flows, create a PUBLIC flow, patch flow visibility, and delete the flow afterward. The README explains the vulnerable call chain inside Langflow, usage examples, and callback-based exfiltration methods because command output is not returned in the HTTP response. Overall, this is a real operational PoC for unauthenticated network-based RCE, not merely a detector, with customizable command execution but no advanced framework integration.