好的,我现在需要帮用户总结一篇文章的内容,控制在100字以内。用户的要求很明确,不需要特定的开头,直接写文章描述。 首先,我快速浏览文章内容。文章主要讲的是美国网络安全和基础设施安全局(CISA)将Langflow的一个漏洞CVE-2026-33017添加到已知被利用的漏洞目录中。这个漏洞的CVSS评分为9.3,属于严重级别。 接着,文章详细说明了这个漏洞的影响:攻击者可以无需认证就执行任意代码,导致系统完全被控制。CISA要求联邦机构在2026年4月8日前修复这个漏洞,并建议私营组织也进行检查和修复。 另外,文章还提到CISA在2025年5月添加了另一个Langflow的漏洞CVE-2025-3248,评分更高,为9.8。这两个漏洞都涉及代码注入问题。 现在我需要将这些信息浓缩到100字以内。重点包括:CISA添加了Langflow的新漏洞到目录中,该漏洞允许未认证的远程代码执行,CVSS评分高,影响版本v1.9.0之前,并要求修复时间。 最后,确保语言简洁明了,不使用复杂的术语,并且直接描述内容。 </think> 美国网络安全机构CISA将Langflow工具中的一个严重漏洞(CVE-2026-33017)加入已知被利用漏洞目录。该漏洞允许攻击者在无需认证的情况下执行任意代码,可能导致系统完全被控制。CISA要求联邦机构于2026年4月8日前修复此漏洞,并建议私营组织也采取行动应对这一威胁。 2026-3-26 21:5:1 Author: securityaffairs.com(查看原文) 阅读量:3 收藏
U.S. CISA adds a Langflow flaw to its Known Exploited Vulnerabilities catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a flaw in Langflow to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Langflow flaw, tracked as CVE-2026-33017 (CVSS score of 9.3), to its Known Exploited Vulnerabilities (KEV) catalog.
Langflow is a popular tool used for building agentic AI workflows.
CVE-2026-33017 is a critical flaw in Langflow (before v1.9.0) that allows attackers to execute arbitrary code without authentication. The public build endpoint accepts user-supplied data containing Python code, which is executed via exec() without sandboxing. This can lead to full system compromise.
“The POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution.” reads the advisory. “This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication. The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code.”
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerability by April 8, 2026.
In May 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added another Langflow flaw, tracked as CVE-2025-3248 (CVSS score of 9.8), to its Known Exploited Vulnerabilities (KEV) catalog.
CVE-2025-3248 is a code injection vulnerability in the /api/v1/validate/code endpoint. A remote, unauthenticated attacker can exploit it by sending crafted HTTP requests to execute arbitrary code. The flaw impacts versions prior to 1.3.0.
Researchers from cybersecurity firm Horizon3.ai discovered the vulnerability and pointed out that it is easily exploitable.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, US CISA Known Exploited Vulnerabilities catalog)
如有侵权请联系:admin#unsafe.sh