Actively Exploited Langflow RCE Exposed AI Pipeline Secrets and Triggered CISA KEV Listing
Threat actors rapidly exploited CVE-2026-33017, a critical unauthenticated remote code execution flaw in Langflow’s public flow build endpoint, allowing arbitrary Python code to reach an unsandboxed exec() path with a single crafted request. The bug affects Langflow versions prior to 1.9.0 and stems from the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint accepting attacker-controlled flow data through an optional parameter. Researchers and vendor advisories said the issue is distinct from CVE-2025-3248 because the vulnerable endpoint is intentionally public, meaning the fix required removing attacker-supplied flow data from that execution path rather than simply adding authentication.
Sysdig and other researchers reported exploitation beginning within about 20 hours of disclosure, with attackers scanning for exposed instances, validating code execution, reading files such as .env, .db, and /etc/passwd, stealing credentials, API keys, and database secrets, and attempting follow-on payload delivery from infrastructure including 173.212.205[.]251:8443. The severity prompted CISA to add the flaw to its Known Exploited Vulnerabilities catalog and order federal agencies to remediate by April 8, 2026 or discontinue use if they could not secure affected systems. Security guidance across the reports urged organizations to upgrade to Langflow 1.9.0 or later, restrict or remove internet exposure of the vulnerable endpoint, monitor outbound connections, and rotate secrets if compromise is suspected.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
CISA orders federal agencies to remediate by April 8
After adding the flaw to KEV, CISA directed Federal Civilian Executive Branch agencies to remediate CVE-2026-33017 by April 8, 2026. Guidance also said agencies should discontinue use if mitigations could not be applied.
CISA adds CVE-2026-33017 to the KEV catalog
CISA added the Langflow flaw to its Known Exploited Vulnerabilities catalog after determining it was being actively exploited in the wild. The agency's action elevated the issue for federal defenders and the broader security community.
ProjectDiscovery opens PR for Nuclei detection template
A pull request was opened to add a Nuclei template for CVE-2026-33017. Review comments pushed the template from passive version checks toward an actual POST-based proof-of-concept detection method, and the author updated it accordingly.
Belgium's CCB issues warning to patch Langflow immediately
Belgium's Centre for Cybersecurity published an advisory warning about the critical Langflow vulnerability and urging immediate patching. This reflected growing government concern over the flaw's risk to AI pipeline deployments.
Langflow fix is available in version 1.9.0
Multiple references state the vulnerability was fixed in Langflow version 1.9.0, with earlier development builds also addressing it. The remediation removed the unsafe attacker-controlled path in the public flow build process.
Sysdig publishes attack analysis of Langflow exploitation
Sysdig released a report detailing how attackers compromised Langflow AI pipelines in about 20 hours. The company described six source IPs, staged payload delivery, credential theft, and use of custom tooling and shared infrastructure.
Attackers begin exploiting CVE-2026-33017 within 20 hours
Sysdig observed exploitation attempts roughly 20 hours after disclosure, showing attackers weaponized the flaw without a public proof-of-concept. Activity included scanning, RCE validation, reconnaissance, payload delivery, and credential harvesting.
Sysdig honeypots detect exploitation attempts
Sysdig detected exploitation attempts against honeypots on March 18, indicating active abuse of the Langflow flaw shortly after disclosure. The observed attacks targeted secrets, credentials, and files tied to AI pipelines.
CVE-2026-33017 is disclosed and assigned
CVE-2026-33017 was publicly disclosed for Langflow's public flow build endpoint, with reports stating disclosure occurred on March 17, 2026. GitHub also assigned the CVE on that date according to later reporting.
Langflow publishes security advisory for CVE-2026-33017
Langflow published GitHub advisory GHSA-vwmf-pq79-vjvx describing a critical unauthenticated remote code execution flaw in the public flow build endpoint. The advisory explained that attacker-supplied flow data could reach an unsandboxed exec() path.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
13 references tracked. Mallory keeps watching after this page renders.
Critical Langflow AI bug exploited within 20 hours added to CISA list | news | SC Media
scworld.com
Open sourceU.S. CISA adds a Langflow flaw to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceCISA Warns of Langflow Code Injection Vulnerability Exploited in Attacks
cybersecuritynews.com
Open sourceCritical Flaw in Langflow AI Platform Under Attack
darkreading.com
Open sourceCritical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure
thehackernews.com
Open sourceCVE-2026-33017 - Langflow has Unauthenticated Remote Code Execution via Public Flow Build Endpoint
cvefeed.io
Open sourceCVE-2026-33017: How attackers compromised Langflow AI pipelines in 20 hours | Sysdig
webflow.sysdig.com
Open sourceUnauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint · Advisory · langflow-ai/langflow · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Unpatched Langflow Path Traversal Flaw Exploited for Unauthenticated RCE
Attackers are actively exploiting **CVE-2026-5027**, a high-severity path traversal vulnerability in the open-source AI application platform **Langflow**, to write files to arbitrary locations on target systems and potentially achieve remote code execution. The flaw affects the `POST /api/v2/files` endpoint, where the `filename` parameter is not properly sanitized, and exploitation is made more severe by Langflow's default unauthenticated auto-login behavior, which lets attackers obtain a valid session token with a single unauthenticated request. VulnCheck reported observed attacks writing apparent test files to victim hosts, while Tenable identified the issue and assigned it a **CVSS 8.8** score. Internet exposure increases the risk: Censys data indicates about **7,000** Langflow instances are reachable online, with the largest concentration in North America. The exploitation report also fits a broader pattern of sustained attacker interest in Langflow, with other vulnerabilities including **`CVE-2026-0770`**, **`CVE-2026-21445`**, **`CVE-2026-33017`**, and **`CVE-2025-34291`** also reported as exploited in 2026; the last has been linked in public reporting to the Iranian state-backed group **MuddyWater**. Separately, a newly disclosed flaw in **Roxy-WI** (**`CVE-2026-45556`**) shows a similar arbitrary file-write-to-RCE pattern on managed load balancers, but no public patch was available at publication.
Jun 11, 2026
Langflow Flaws Enable Cross-Tenant Access and Fuel Cryptominer Intrusions
Multiple vulnerabilities in **Langflow** have exposed AI application deployments to both account-to-account abuse and active compromise. **`CVE-2026-33760`** affects versions before **1.9.0** and allows authenticated users to read, modify, rename, or delete other users’ messages, sessions, build artifacts, and LLM transaction logs through seven `/api/v1/monitor` endpoints that fail to enforce ownership checks. A separate flaw, **`CVE-2026-55255`**, affects versions before **1.9.2** and lets an authenticated attacker execute another user’s flow through the `/api/v1/responses` endpoint by supplying a victim `flow_id`, giving the issue a critical **CVSS 9.9** rating. At the same time, defenders are tracking a cryptocurrency-mining campaign exploiting **`CVE-2026-33017`**, an unauthenticated remote code execution bug in Langflow, to compromise exposed instances and deploy Monero miners. Threat research says the malware disables security controls, installs persistence, and can enable lateral movement through reused SSH keys; observed infrastructure includes **`83.142.209.214`** and **`94.156.64.241`**. Organizations running Langflow are being urged to upgrade to **1.9.0** and **1.9.2** or later as applicable, verify access-control enforcement, restrict public exposure of Langflow services, and treat signs of miner activity or unauthorized flow execution as a significant incident.
Jun 24, 2026
Critical Unauthenticated RCE in Langflow OSS PythonREPLComponent
IBM disclosed **CVE-2026-10561**, a critical unauthenticated remote code execution flaw in Langflow OSS affecting versions `1.0.0` through `1.9.3`. The vulnerability is rooted in improper isolation in the `PythonREPLComponent`: CPython's `exec()` restores full builtins access when the globals dictionary does not explicitly clear `__builtins__`, allowing attackers to bypass the intended import restrictions. IBM and downstream advisories rate the issue **CVSS 3.1 10.0**, noting it is remotely exploitable with low attack complexity, requires no privileges, and needs no user interaction. The flaw can be chained with Langflow's default `LANGFLOW_AUTO_LOGIN=true` behavior, which exposes the `/api/v1/auto_login` endpoint and can issue a superuser JWT without credentials, enabling unauthenticated code execution on the host. Successful exploitation could lead to arbitrary OS command execution, theft of LLM provider keys, flow definitions and vector store credentials, and persistent compromise of affected systems. IBM recommends upgrading to **Langflow OSS 1.9.4** immediately; no workaround was listed, and defenders are advised to apply vendor updates, harden access controls, and monitor for unauthorized activity.
Jun 22, 2026