A critical vulnerability in Langflow, a tool for building agentic AI workflows, has been added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities catalog. The flaw, tracked as CVE-2026-33017, carries a CVSS score of 9.3 and affects Langflow versions prior to v1.9.0, allowing attackers to execute arbitrary code without authentication. This vulnerability is considered high-risk due to its potential for exploitation, with CISA actively discussing its status1. The fact that CVE-2026-33017 is being closely monitored by CISA indicates that its exploitation status could escalate to a patch-now situation. As a result, practitioners should prioritize reviewing their Langflow deployments and applying the necessary updates to prevent potential attacks. The addition of this vulnerability to the KEV catalog highlights the importance of staying up-to-date with the latest security patches, especially for widely used tools like Langflow.
U.S. CISA adds a Langflow flaw to its Known Exploited Vulnerabilities catalog
⚡ High Priority
Why This Matters
CVE-2026-33017 is in active discussion involving CISA — exploitation status determines whether this is patch-now or monitor.
References
- SecurityAffairs. (2026, March 26). U.S. CISA adds a Langflow flaw to its Known Exploited Vulnerabilities catalog. *SecurityAffairs*. https://securityaffairs.com/190018/security/u-s-cisa-adds-a-langflow-flaw-to-its-known-exploited-vulnerabilities-catalog.html
Original Source
SecurityAffairs
Read original →