Langflow, the open-source visual framework used to build AI agents and RAG pipelines, contains a critical unauthenticated remote code execution vulnerability in its public flow build endpoint. Attackers began scanning the internet for vulnerable instances within 20 hours of public disclosure — before any public PoC code was available — and successfully exfiltrated data by hour 25.
The vulnerability affects POST /api/v1/build_public_tmp/{flow_id}/flow. The endpoint is intentionally unauthenticated to support public flows, but it accepts a caller-supplied data parameter containing arbitrary Python code in node definitions, which is passed directly to exec() with no sandboxing. A single HTTP request is sufficient for full remote code execution with no credentials required.
Attackers harvested OpenAI and Anthropic API keys from exposed Langflow instances, granting access to every LLM-backed workflow those instances serve. This is the second critical exec()-based RCE in Langflow in 12 months (cf. CVE-2025-3248, CVSS 9.8, on CISA KEV), indicating a systemic code-review gap in the framework's public endpoints.
Immediate recommendation: Upgrade to Langflow 1.9.0.dev8 or later; if you cannot upgrade immediately, block public internet access to the /api/v1/build_public_tmp/ endpoint at the network layer.