[variant] project cache prepared=True (using Docker images for the real product) [variant] CVE-2026-33017 VARIANT/BYPASS: stored-custom-component RCE on the public build path (defeats the 1.9.0 fix) [variant] logs: /data/pruva/runs/44c4dd2c-bf95-4e5e-8a20-9232f5ffb9dd/bundle/logs/vuln_variant [variant] image langflowai/langflow:1.9.0 already present [variant] image langflowai/langflow:1.10.1 already present [variant] image identity for langflowai/langflow:1.9.0 -> /data/pruva/runs/44c4dd2c-bf95-4e5e-8a20-9232f5ffb9dd/bundle/logs/vuln_variant/claimed_fixed_image_identity.txt [variant] image identity for langflowai/langflow:1.10.1 -> /data/pruva/runs/44c4dd2c-bf95-4e5e-8a20-9232f5ffb9dd/bundle/logs/vuln_variant/followup_fixed_image_identity.txt [variant] ---------------------------------------------------------------------- [variant] attempt role=claimed_fixed attempt=1 image=langflowai/langflow:1.9.0 token=dde4c416676ff815 [variant] ---------------------------------------------------------------------- [variant] $ docker run -d --rm --name langflow-variant-claimed_fixed-1 -e LANGFLOW_AUTO_LOGIN=true -e LANGFLOW_PORT=7860 -e LANGFLOW_HOST=0.0.0.0 langflowai/langflow:1.9.0 python -m langflow run --host 0.0.0.0 --port 7860 --backend-only --no-open-browser [variant] running variant exploit helper inside langflow-variant-claimed_fixed-1 (MODE=bypass) ... [variant] attempt claimed_fixed/1 rc=0 [variant] ---------------------------------------------------------------------- [variant] attempt role=claimed_fixed attempt=2 image=langflowai/langflow:1.9.0 token=8e2860b85b0ed823 [variant] ---------------------------------------------------------------------- [variant] $ docker run -d --rm --name langflow-variant-claimed_fixed-2 -e LANGFLOW_AUTO_LOGIN=true -e LANGFLOW_PORT=7860 -e LANGFLOW_HOST=0.0.0.0 langflowai/langflow:1.9.0 python -m langflow run --host 0.0.0.0 --port 7860 --backend-only --no-open-browser [variant] running variant exploit helper inside langflow-variant-claimed_fixed-2 (MODE=bypass) ... [variant] attempt claimed_fixed/2 rc=0 [variant] ---------------------------------------------------------------------- [variant] attempt role=followup_fixed attempt=1 image=langflowai/langflow:1.10.1 token=e9b8fca5e5acaa53 [variant] ---------------------------------------------------------------------- [variant] $ docker run -d --rm --name langflow-variant-followup_fixed-1 -e LANGFLOW_AUTO_LOGIN=true -e LANGFLOW_PORT=7860 -e LANGFLOW_HOST=0.0.0.0 langflowai/langflow:1.10.1 python -m langflow run --host 0.0.0.0 --port 7860 --backend-only --no-open-browser [variant] running variant exploit helper inside langflow-variant-followup_fixed-1 (MODE=bypass) ... [variant] attempt followup_fixed/1 rc=1 [variant] ---------------------------------------------------------------------- [variant] attempt role=followup_fixed attempt=2 image=langflowai/langflow:1.10.1 token=c45084ceac599aed [variant] ---------------------------------------------------------------------- [variant] $ docker run -d --rm --name langflow-variant-followup_fixed-2 -e LANGFLOW_AUTO_LOGIN=true -e LANGFLOW_PORT=7860 -e LANGFLOW_HOST=0.0.0.0 langflowai/langflow:1.10.1 python -m langflow run --host 0.0.0.0 --port 7860 --backend-only --no-open-browser [variant] running variant exploit helper inside langflow-variant-followup_fixed-2 (MODE=bypass) ... [variant] attempt followup_fixed/2 rc=1 [variant] ---------------------------------------------------------------------- [variant] RESULTS: bypass on CVE-claimed-fixed 1.9.0 = 2/2 | bypass on follow-up 1.10.1 = 0/2 [variant] ---------------------------------------------------------------------- [variant] outcome=bypass_confirmed vuln_variant/reproduction_steps.sh: line 208: data: command not found [variant] wrote runtime manifest -> /data/pruva/runs/44c4dd2c-bf95-4e5e-8a20-9232f5ffb9dd/bundle/vuln_variant/runtime_manifest.json [variant] wrote verdict -> /data/pruva/runs/44c4dd2c-bf95-4e5e-8a20-9232f5ffb9dd/bundle/vuln_variant/validation_verdict.json [variant] VARIANT/BYPASS CONFIRMED (1.9.0 still RCE; 1.10.1 closes it) [variant] project cache prepared=True (using Docker images for the real product) [variant] CVE-2026-33017 VARIANT/BYPASS: stored-custom-component RCE on the public build path (defeats the 1.9.0 fix) [variant] logs: /data/pruva/runs/44c4dd2c-bf95-4e5e-8a20-9232f5ffb9dd/bundle/logs/vuln_variant [variant] image langflowai/langflow:1.9.0 already present [variant] image langflowai/langflow:1.10.1 already present [variant] image identity for langflowai/langflow:1.9.0 -> /data/pruva/runs/44c4dd2c-bf95-4e5e-8a20-9232f5ffb9dd/bundle/logs/vuln_variant/claimed_fixed_image_identity.txt [variant] image identity for langflowai/langflow:1.10.1 -> /data/pruva/runs/44c4dd2c-bf95-4e5e-8a20-9232f5ffb9dd/bundle/logs/vuln_variant/followup_fixed_image_identity.txt [variant] ---------------------------------------------------------------------- [variant] attempt role=claimed_fixed attempt=1 image=langflowai/langflow:1.9.0 token=84518e5b4fd70147 [variant] ---------------------------------------------------------------------- [variant] $ docker run -d --rm --name langflow-variant-claimed_fixed-1 -e LANGFLOW_AUTO_LOGIN=true -e LANGFLOW_PORT=7860 -e LANGFLOW_HOST=0.0.0.0 langflowai/langflow:1.9.0 python -m langflow run --host 0.0.0.0 --port 7860 --backend-only --no-open-browser [variant] running variant exploit helper inside langflow-variant-claimed_fixed-1 (MODE=bypass) ... [variant] attempt claimed_fixed/1 rc=0 [variant] ---------------------------------------------------------------------- [variant] attempt role=claimed_fixed attempt=2 image=langflowai/langflow:1.9.0 token=cecb406248cbe292 [variant] ---------------------------------------------------------------------- [variant] $ docker run -d --rm --name langflow-variant-claimed_fixed-2 -e LANGFLOW_AUTO_LOGIN=true -e LANGFLOW_PORT=7860 -e LANGFLOW_HOST=0.0.0.0 langflowai/langflow:1.9.0 python -m langflow run --host 0.0.0.0 --port 7860 --backend-only --no-open-browser [variant] running variant exploit helper inside langflow-variant-claimed_fixed-2 (MODE=bypass) ... [variant] attempt claimed_fixed/2 rc=0 [variant] ---------------------------------------------------------------------- [variant] attempt role=followup_fixed attempt=1 image=langflowai/langflow:1.10.1 token=61d7955bc6ac5bcb [variant] ---------------------------------------------------------------------- [variant] $ docker run -d --rm --name langflow-variant-followup_fixed-1 -e LANGFLOW_AUTO_LOGIN=true -e LANGFLOW_PORT=7860 -e LANGFLOW_HOST=0.0.0.0 langflowai/langflow:1.10.1 python -m langflow run --host 0.0.0.0 --port 7860 --backend-only --no-open-browser [variant] running variant exploit helper inside langflow-variant-followup_fixed-1 (MODE=bypass) ... [variant] attempt followup_fixed/1 rc=1 [variant] ---------------------------------------------------------------------- [variant] attempt role=followup_fixed attempt=2 image=langflowai/langflow:1.10.1 token=de55f18550fc09c6 [variant] ---------------------------------------------------------------------- [variant] $ docker run -d --rm --name langflow-variant-followup_fixed-2 -e LANGFLOW_AUTO_LOGIN=true -e LANGFLOW_PORT=7860 -e LANGFLOW_HOST=0.0.0.0 langflowai/langflow:1.10.1 python -m langflow run --host 0.0.0.0 --port 7860 --backend-only --no-open-browser [variant] running variant exploit helper inside langflow-variant-followup_fixed-2 (MODE=bypass) ... [variant] attempt followup_fixed/2 rc=1 [variant] ---------------------------------------------------------------------- [variant] RESULTS: bypass on CVE-claimed-fixed 1.9.0 = 2/2 | bypass on follow-up 1.10.1 = 0/2 [variant] ---------------------------------------------------------------------- [variant] outcome=bypass_confirmed [variant] wrote runtime manifest -> /data/pruva/runs/44c4dd2c-bf95-4e5e-8a20-9232f5ffb9dd/bundle/vuln_variant/runtime_manifest.json [variant] wrote verdict -> /data/pruva/runs/44c4dd2c-bf95-4e5e-8a20-9232f5ffb9dd/bundle/vuln_variant/validation_verdict.json [variant] VARIANT/BYPASS CONFIRMED (1.9.0 still RCE; 1.10.1 closes it) [variant] project cache prepared=True (using Docker images for the real product) [variant] CVE-2026-33017 VARIANT/BYPASS: stored-custom-component RCE on the public build path (defeats the 1.9.0 fix) [variant] logs: /data/pruva/runs/44c4dd2c-bf95-4e5e-8a20-9232f5ffb9dd/bundle/logs/vuln_variant [variant] image langflowai/langflow:1.9.0 already present [variant] image langflowai/langflow:1.10.1 already present [variant] image identity for langflowai/langflow:1.9.0 -> /data/pruva/runs/44c4dd2c-bf95-4e5e-8a20-9232f5ffb9dd/bundle/logs/vuln_variant/claimed_fixed_image_identity.txt [variant] image identity for langflowai/langflow:1.10.1 -> /data/pruva/runs/44c4dd2c-bf95-4e5e-8a20-9232f5ffb9dd/bundle/logs/vuln_variant/followup_fixed_image_identity.txt [variant] ---------------------------------------------------------------------- [variant] attempt role=claimed_fixed attempt=1 image=langflowai/langflow:1.9.0 token=a89c6a6d30652135 [variant] ---------------------------------------------------------------------- [variant] $ docker run -d --rm --name langflow-variant-claimed_fixed-1 -e LANGFLOW_AUTO_LOGIN=true -e LANGFLOW_PORT=7860 -e LANGFLOW_HOST=0.0.0.0 langflowai/langflow:1.9.0 python -m langflow run --host 0.0.0.0 --port 7860 --backend-only --no-open-browser [variant] running variant exploit helper inside langflow-variant-claimed_fixed-1 (MODE=bypass) ... [variant] attempt claimed_fixed/1 rc=0 [variant] ---------------------------------------------------------------------- [variant] attempt role=claimed_fixed attempt=2 image=langflowai/langflow:1.9.0 token=278746d0685e7665 [variant] ---------------------------------------------------------------------- [variant] $ docker run -d --rm --name langflow-variant-claimed_fixed-2 -e LANGFLOW_AUTO_LOGIN=true -e LANGFLOW_PORT=7860 -e LANGFLOW_HOST=0.0.0.0 langflowai/langflow:1.9.0 python -m langflow run --host 0.0.0.0 --port 7860 --backend-only --no-open-browser [variant] running variant exploit helper inside langflow-variant-claimed_fixed-2 (MODE=bypass) ... [variant] attempt claimed_fixed/2 rc=0 [variant] ---------------------------------------------------------------------- [variant] attempt role=followup_fixed attempt=1 image=langflowai/langflow:1.10.1 token=697718516c9944ef [variant] ---------------------------------------------------------------------- [variant] $ docker run -d --rm --name langflow-variant-followup_fixed-1 -e LANGFLOW_AUTO_LOGIN=true -e LANGFLOW_PORT=7860 -e LANGFLOW_HOST=0.0.0.0 langflowai/langflow:1.10.1 python -m langflow run --host 0.0.0.0 --port 7860 --backend-only --no-open-browser [variant] running variant exploit helper inside langflow-variant-followup_fixed-1 (MODE=bypass) ... [variant] attempt followup_fixed/1 rc=1 [variant] ---------------------------------------------------------------------- [variant] attempt role=followup_fixed attempt=2 image=langflowai/langflow:1.10.1 token=fb41ea1d2586f69b [variant] ---------------------------------------------------------------------- [variant] $ docker run -d --rm --name langflow-variant-followup_fixed-2 -e LANGFLOW_AUTO_LOGIN=true -e LANGFLOW_PORT=7860 -e LANGFLOW_HOST=0.0.0.0 langflowai/langflow:1.10.1 python -m langflow run --host 0.0.0.0 --port 7860 --backend-only --no-open-browser [variant] running variant exploit helper inside langflow-variant-followup_fixed-2 (MODE=bypass) ... [variant] attempt followup_fixed/2 rc=1 [variant] ---------------------------------------------------------------------- [variant] RESULTS: bypass on CVE-claimed-fixed 1.9.0 = 2/2 | bypass on follow-up 1.10.1 = 0/2 [variant] ---------------------------------------------------------------------- [variant] outcome=bypass_confirmed [variant] wrote runtime manifest -> /data/pruva/runs/44c4dd2c-bf95-4e5e-8a20-9232f5ffb9dd/bundle/vuln_variant/runtime_manifest.json [variant] wrote verdict -> /data/pruva/runs/44c4dd2c-bf95-4e5e-8a20-9232f5ffb9dd/bundle/vuln_variant/validation_verdict.json [variant] VARIANT/BYPASS CONFIRMED (1.9.0 still RCE; 1.10.1 closes it)