[repro] project cache prepared=True (using Docker images for the real product) [repro] CVE-2026-33017 reproduction: unauthenticated RCE via /api/v1/build_public_tmp/{flow_id}/flow [repro] logs: /data/pruva/runs/44c4dd2c-bf95-4e5e-8a20-9232f5ffb9dd/bundle/logs [repro] image langflowai/langflow:1.8.1 already present [repro] image langflowai/langflow:1.9.0 already present [repro] ---------------------------------------------------------------------- [repro] attempt role=vuln attempt=1 image=langflowai/langflow:1.8.1 token=e19250a78542d32b [repro] ---------------------------------------------------------------------- [repro] $ docker run -d --rm --name langflow-vuln-1 -e LANGFLOW_AUTO_LOGIN=true -e LANGFLOW_PORT=7860 -e LANGFLOW_HOST=0.0.0.0 langflowai/langflow:1.8.1 python -m langflow run --host 0.0.0.0 --port 7860 --backend-only --no-open-browser [repro] running exploit helper inside langflow-vuln-1 ... [repro] attempt vuln/1 rc=0 [repro] ---------------------------------------------------------------------- [repro] attempt role=vuln attempt=2 image=langflowai/langflow:1.8.1 token=755e813a4c9e13f5 [repro] ---------------------------------------------------------------------- [repro] $ docker run -d --rm --name langflow-vuln-2 -e LANGFLOW_AUTO_LOGIN=true -e LANGFLOW_PORT=7860 -e LANGFLOW_HOST=0.0.0.0 langflowai/langflow:1.8.1 python -m langflow run --host 0.0.0.0 --port 7860 --backend-only --no-open-browser [repro] running exploit helper inside langflow-vuln-2 ... [repro] attempt vuln/2 rc=0 [repro] ---------------------------------------------------------------------- [repro] attempt role=fixed attempt=1 image=langflowai/langflow:1.9.0 token=33a9dd589145cc59 [repro] ---------------------------------------------------------------------- [repro] $ docker run -d --rm --name langflow-fixed-1 -e LANGFLOW_AUTO_LOGIN=true -e LANGFLOW_PORT=7860 -e LANGFLOW_HOST=0.0.0.0 langflowai/langflow:1.9.0 python -m langflow run --host 0.0.0.0 --port 7860 --backend-only --no-open-browser [repro] running exploit helper inside langflow-fixed-1 ... [repro] attempt fixed/1 rc=1 [repro] ---------------------------------------------------------------------- [repro] attempt role=fixed attempt=2 image=langflowai/langflow:1.9.0 token=245870f07df33430 [repro] ---------------------------------------------------------------------- [repro] $ docker run -d --rm --name langflow-fixed-2 -e LANGFLOW_AUTO_LOGIN=true -e LANGFLOW_PORT=7860 -e LANGFLOW_HOST=0.0.0.0 langflowai/langflow:1.9.0 python -m langflow run --host 0.0.0.0 --port 7860 --backend-only --no-open-browser [repro] running exploit helper inside langflow-fixed-2 ... [repro] attempt fixed/2 rc=1 [repro] ---------------------------------------------------------------------- [repro] RESULTS: vulnerable RCE successes=2/2 fixed closed=2/2 (fixed_ok=0 must be 0) [repro] ---------------------------------------------------------------------- [repro] outcome=confirmed [repro] wrote runtime manifest -> /data/pruva/runs/44c4dd2c-bf95-4e5e-8a20-9232f5ffb9dd/bundle/repro/runtime_manifest.json [repro] wrote verdict -> /data/pruva/runs/44c4dd2c-bf95-4e5e-8a20-9232f5ffb9dd/bundle/repro/validation_verdict.json [repro] proof-carry artifacts cached under /data/pruva/project-cache/688af86e-dc4c-4d20-bb02-ccdf8da2c7d0/pruva/.pruva/proof-carry/ [repro] VULNERABILITY CONFIRMED [repro] project cache prepared=True (using Docker images for the real product) [repro] CVE-2026-33017 reproduction: unauthenticated RCE via /api/v1/build_public_tmp/{flow_id}/flow [repro] logs: /data/pruva/runs/44c4dd2c-bf95-4e5e-8a20-9232f5ffb9dd/bundle/logs [repro] image langflowai/langflow:1.8.1 already present [repro] image langflowai/langflow:1.9.0 already present [repro] ---------------------------------------------------------------------- [repro] attempt role=vuln attempt=1 image=langflowai/langflow:1.8.1 token=ac8b4072ceec8039 [repro] ---------------------------------------------------------------------- [repro] $ docker run -d --rm --name langflow-vuln-1 -e LANGFLOW_AUTO_LOGIN=true -e LANGFLOW_PORT=7860 -e LANGFLOW_HOST=0.0.0.0 langflowai/langflow:1.8.1 python -m langflow run --host 0.0.0.0 --port 7860 --backend-only --no-open-browser [repro] running exploit helper inside langflow-vuln-1 ... [repro] attempt vuln/1 rc=0 [repro] ---------------------------------------------------------------------- [repro] attempt role=vuln attempt=2 image=langflowai/langflow:1.8.1 token=1557deb55348f34f [repro] ---------------------------------------------------------------------- [repro] $ docker run -d --rm --name langflow-vuln-2 -e LANGFLOW_AUTO_LOGIN=true -e LANGFLOW_PORT=7860 -e LANGFLOW_HOST=0.0.0.0 langflowai/langflow:1.8.1 python -m langflow run --host 0.0.0.0 --port 7860 --backend-only --no-open-browser [repro] running exploit helper inside langflow-vuln-2 ... [repro] attempt vuln/2 rc=0 [repro] ---------------------------------------------------------------------- [repro] attempt role=fixed attempt=1 image=langflowai/langflow:1.9.0 token=1bb35b5ee82f18a0 [repro] ---------------------------------------------------------------------- [repro] $ docker run -d --rm --name langflow-fixed-1 -e LANGFLOW_AUTO_LOGIN=true -e LANGFLOW_PORT=7860 -e LANGFLOW_HOST=0.0.0.0 langflowai/langflow:1.9.0 python -m langflow run --host 0.0.0.0 --port 7860 --backend-only --no-open-browser [repro] running exploit helper inside langflow-fixed-1 ... [repro] attempt fixed/1 rc=1 [repro] ---------------------------------------------------------------------- [repro] attempt role=fixed attempt=2 image=langflowai/langflow:1.9.0 token=64a6f6c9658831d9 [repro] ---------------------------------------------------------------------- [repro] $ docker run -d --rm --name langflow-fixed-2 -e LANGFLOW_AUTO_LOGIN=true -e LANGFLOW_PORT=7860 -e LANGFLOW_HOST=0.0.0.0 langflowai/langflow:1.9.0 python -m langflow run --host 0.0.0.0 --port 7860 --backend-only --no-open-browser [repro] running exploit helper inside langflow-fixed-2 ... [repro] attempt fixed/2 rc=1 [repro] ---------------------------------------------------------------------- [repro] RESULTS: vulnerable RCE successes=2/2 fixed closed=2/2 (fixed_ok=0 must be 0) [repro] ---------------------------------------------------------------------- [repro] outcome=confirmed [repro] wrote runtime manifest -> /data/pruva/runs/44c4dd2c-bf95-4e5e-8a20-9232f5ffb9dd/bundle/repro/runtime_manifest.json [repro] wrote verdict -> /data/pruva/runs/44c4dd2c-bf95-4e5e-8a20-9232f5ffb9dd/bundle/repro/validation_verdict.json [repro] proof-carry artifacts cached under /data/pruva/project-cache/688af86e-dc4c-4d20-bb02-ccdf8da2c7d0/pruva/.pruva/proof-carry/ [repro] VULNERABILITY CONFIRMED