Missing Docker image tag for release 1.8.2 (contains critical RCE fix) #12312
Description
Describe the bug / issue
Release 1.8.2 was published on GitHub with an important security fix:
fix: prevent RCE via data parameter in build_public_tmp endpoint
(PR #12160 by @Jkavia)
This is the patch for CVE-2026-33017 (unauthenticated RCE on the public endpoint), which has been actively exploited in the wild.
However, there is no corresponding Docker image available on Docker Hub for version 1.8.2:
langflowai/langflow:1.8.2does not exist.- The latest available versioned tag is still
1.8.1(pushed ~12 days ago). latestalso points to 1.8.1.
Users who rely on Docker (especially on AWS EC2, Kubernetes, etc.) cannot easily upgrade to the patched version without either:
- Building the image from source ourselves, or
- Staying on the vulnerable 1.8.1 / using
latestthat hasn't been updated.
Expected behavior
A Docker tag langflowai/langflow:1.8.2 (and ideally 1.8.2-amd64, 1.8.2-arm64) should be published automatically or manually as part of the release process, similar to previous versions (e.g., 1.8.1, 1.8.0).
Steps to reproduce
- Go to https://github.com/langflow-ai/langflow/releases/tag/1.8.2
- Try
docker pull langflowai/langflow:1.8.2→ fails with "manifest unknown".
Environment
- Docker Hub: https://hub.docker.com/r/langflowai/langflow/tags
- Affected users: Anyone deploying via Docker / docker-compose on EC2, self-hosted setups, etc.
Suggested fix
- Publish the 1.8.2 Docker image (or update
latestto include the 1.8.2 changes). - Consider adding a note in the release notes about Docker availability.
- If the CI/CD pipeline for Docker builds is manual or broken for patch releases, it would be helpful to document the process or automate it for all releases that include security fixes.
This is especially critical because the fixed vulnerability is a critical unauthenticated RCE that attackers are actively scanning for.
Thank you for the quick security response with 1.8.2 — just need to make the fix reachable for Docker users!