Langflow CVE-2026-33017: CISA KEV April 8 Deadline

Federal agencies have until April 8 to patch a critical vulnerability in Langflow — one of the most popular no-code AI workflow platforms on the market. If you're running it, that deadline applies to you too.

TL;DR: CVE-2026-33017 is a critical Langflow vulnerability that lets an attacker run any code they want on your server — no login required. CISA added it to their Known Exploited Vulnerabilities catalog, meaning it's being actively exploited right now. The fix is straightforward: upgrade to Langflow 1.9.0 or later. If you can't upgrade immediately, disable the auto_login feature.

What's Happening

Langflow versions 1.8.1 and below have a flaw in how they handle something called the auto_login endpoint. Here's the thing — auto_login is turned on by default. That means out of the box, no authentication stands between an attacker and your server.

The attack works like this: an attacker sends a request to a public-facing endpoint, gets handed a superuser token automatically, creates a workflow, and executes arbitrary code on your machine. No password. No phishing. No social engineering. Just a direct path from the internet to full control of your server.

CISA — the federal agency responsible for cybersecurity across the U.S. government — added this to their Known Exploited Vulnerabilities catalog on March 26. That catalog isn't theoretical. It means someone is already using this in the wild.

Why It Matters

Langflow sits in the same category as n8n, Make, and other visual AI workflow builders that non-developers use to automate tasks. If you've set up AI automations without writing code, there's a decent chance you're running something architecturally similar. The auto_login pattern — where convenience beats security by default — isn't unique to Langflow. It's the design philosophy across most no-code AI tools.

So even if you're not running Langflow specifically, this is the pattern to watch: default settings that trade your security for easier onboarding.

What To Do Right Now

1. Check your version. If you're running Langflow 1.8.1 or below, you're exposed.
2. Upgrade to 1.9.0 or later. This is the patch. One command, done.
3. If you can't upgrade today — disable auto_login in your configuration immediately. That closes the unauthenticated path.
4. Audit your other no-code AI tools. Look for auto_login or similar default-on convenience features. If a tool lets anyone access admin functions without authentication out of the box, that's the same class of risk.

Key Takeaways

• CVE-2026-33017 allows unauthenticated remote code execution on Langflow servers version 1.8.1 and below.
• CISA's Known Exploited Vulnerabilities listing confirms active exploitation — this is not theoretical.
• The federal patch deadline is April 8, 2026 — five days from now.
• The auto_login feature is enabled by default, meaning unpatched Langflow installations are exploitable without any user misconfiguration.
• The "convenience by default" design pattern applies across most no-code AI workflow platforms — Langflow is the example, not the exception.