What is the CVSS score of CVE-2026-33497?

CVE-2026-33497 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Is there a public PoC exploit available for CVE-2026-33497?

Yes, a public proof-of-concept exploit is available for CVE-2026-33497. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-33497?

Within 24 hours: Inventory all systems running Langflow and assess exposure scope; isolate affected instances from production if possible. Within 7 days: Implement network-level controls (WAF rules, IP restrictions) to block the vulnerable endpoint; rotate all JWT secrets and API keys; apply input validation at the application layer. Within 30 days: Migrate to a patched version when available; conduct forensic audit for unauthorized token generation; review access logs for exploitation attempts.

CVE-2026-33497

HIGH

Path Traversal (CWE-22)

2026-03-20 https://github.com/langflow-ai/langflow

GHSA-ph9w-r52h-28p7

Path Traversal

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

PoC Detected

Mar 24, 2026 - 19:20 vuln.today

Public exploit code

Analysis Generated

Mar 20, 2026 - 21:01 vuln.today

CVE Published

Mar 20, 2026 - 20:56 nvd

HIGH 7.5

DescriptionGitHub Advisory

Summary

In the download_profile_picture function of the /profile_pictures/{folder_name}/{file_name} endpoint, the folder_name and file_name parameters are not strictly filtered, which allows the secret_key to be read across directories.

Details

src/backend/base/langflow/api/v1/files.py

!image

storage local get_file, directly concatenate flow_id and file_name !image

PoC

curl --path-as-is 'http://127.0.0.1:7860/api/v1/files/profile_pictures/../secret_key' ```

Impact

secret_key is used for jwt authentication. Attackers can forge authentication tokens and log into the system.

AnalysisAI

Path traversal in Langflow's /profile_pictures endpoint allows unauthenticated remote attackers to read the application's secret_key through directory traversal in the folder_name parameter. Since the secret_key is used for JWT authentication, attackers can forge valid tokens to gain unauthorized system access. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft HTTP request with path traversal payload

Exploit

Send request to /profile_pictures endpoint

Execution

Bypass folder_name/file_name filters

Impact

Read secret_key from arbitrary directory

Access

Craft HTTP request with path traversal payload

Exploit

Send request to /profile_pictures endpoint

Execution

Bypass folder_name/file_name filters

Impact

Read secret_key from arbitrary directory

Vulnerability AssessmentAI

Exploitation	Remote unauthenticated attacker can exploit the /profile_pictures/{folder_name}/{file_name} endpoint in Langflow by using path traversal (e.g., ../ sequences) in folder_name or file_name parameters to read arbitrary files including secret_key. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	This vulnerability presents critical real-world risk despite the absence of formal CVSS scoring. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated remote attacker crafts a malicious HTTP request to the vulnerable endpoint using path traversal syntax, such as 'GET /api/v1/files/profile_pictures/../secret_key', to escape the intended directory and retrieve the JWT secret_key file from the application's file system. With the exfiltrated secret_key, the attacker generates valid JWT tokens for any user account including administrators, gaining full unauthorized access to the Langflow instance. …
Remediation	Immediately upgrade Langflow to the patched version specified in the GitHub security advisory at https://github.com/langflow-ai/langflow/security/advisories/GHSA-ph9w-r52h-28p7 or the corresponding National Vulnerability Database advisory at https://github.com/advisories/GHSA-ph9w-r52h-28p7. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Langflow and assess exposure scope; isolate affected instances from production if possible. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33497 vulnerability details – vuln.today

Back

CVE-2026-33497

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

Summary

Details

PoC

Impact

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code