{
  "repository": "langflow-ai/langflow",
  "repository_url": "https://github.com/langflow-ai/langflow",
  "commit_source": "image_build_metadata+release_tag_resolution",
  "commit_sha": "a47f2ad17eb662e940c550cfccb64a87dddd7e0b",
  "submitted_target": {
    "target_kind": "docker_image",
    "version": "1.9.0",
    "ref": "v1.9.0",
    "commit_sha": "a47f2ad17eb662e940c550cfccb64a87dddd7e0b",
    "display": "langflowai/langflow:1.9.0 (CVE-2026-33017 'fixed' version; release tag v1.9.0 -> commit a47f2ad17e)"
  },
  "variant_target": {
    "target_kind": "docker_image",
    "version": "1.9.0",
    "ref": "v1.9.0",
    "commit_sha": "a47f2ad17eb662e940c550cfccb64a87dddd7e0b",
    "display": "langflowai/langflow:1.9.0 -> proven STILL vulnerable to unauthenticated RCE via the stored-custom-component bypass"
  },
  "followup_fixed_target": {
    "target_kind": "docker_image",
    "version": "1.10.1",
    "ref": "v1.10.1",
    "commit_sha": "a66b75ac2603b26988fb6be95303fdc61f807190",
    "display": "langflowai/langflow:1.10.1 (closes the bypass via commit 626365f088 'run trusted server code on unauthenticated public flow builds')"
  },
  "resolution_notes": "The Docker images expose the langflow pip version via importlib.metadata (recorded in logs/vuln_variant/claimed_fixed_image_identity.txt and followup_fixed_image_identity.txt). Each pip version maps 1:1 to a release tag in the langflow repo mirror, which resolves to the exact git commit: v1.9.0 -> a47f2ad17eb662e940c550cfccb64a87dddd7e0b (bypass reproduces here) and v1.10.1 -> a66b75ac2603b26988fb6be95303fdc61f807190 (bypass closed here). The follow-up hardening commit 626365f088379236776e0d72f7d18c9094e43ebb is an ancestor of v1.10.1 but NOT of v1.10.0/v1.9.0, confirming the bypass gap is present in v1.9.0 through v1.10.0.",
  "vulnerable_range_for_bypass": ">=1.9.0, <1.10.1 (versions that have the original CVE-2026-33017 fix but lack the H1-3754930 follow-up)"
}
