Critical Langflow Vulnerability Exploited Hours After Public Disclosure
A critical unauthenticated remote code execution vulnerability in Langflow (CVE-2026-33017, CVSS 9.3) was actively exploited by threat actors within 20 hours of public disclosure. Attackers leveraged the flaw to steal database credentials and keys, potentially enabling supply chain attacks, with exploitation occurring across three coordinated phases involving six unique IPs and a shared C&C server.
Summary
A critical unauthenticated remote code execution vulnerability in Langflow (CVE-2026-33017, CVSS 9.3) was actively exploited by threat actors within 20 hours of public disclosure. Attackers leveraged the flaw to steal database credentials and keys, potentially enabling supply chain attacks, with exploitation occurring across three coordinated phases involving six unique IPs and a shared C&C server.
Full text
Threat actors started exploiting a critical Langflow vulnerability roughly 20 hours after public disclosure, Sysdig reports. Langflow is a popular open source framework for creating and deploying AI agents and workflows using a visual builder interface, with over 145,000 GitHub stars and more than 8,000 forks. On March 17, Langflow version 1.8.1 was released with patches for a critical vulnerability leading to unauthenticated remote code execution (RCE). Tracked as CVE-2026-33017 (CVSS score of 9.3), the issue impacts a POST endpoint that allows developers to create public flows without requiring authentication. Because of the bug, when the optional ‘data’ parameter is supplied, the endpoint uses flow data that an attacker can supply in node definitions in the form of Python code, instead of the flow data stored in the database. The code is executed without sandboxing, leading to RCE without authentication. According to Sysdig, a single HTTP request is required to trigger the bug, and threat actors started exploiting it hours after public disclosure.Advertisement. Scroll to continue reading. “This is notable because no public PoC repository existed on GitHub at the time of the first attack. The advisory itself contained enough detail (the vulnerable endpoint path and the mechanism for code injection via flow node definitions) for attackers to construct a working exploit without additional research,” Sysdig says. Threat actors have been exploiting CVE-2026-33017 to steal keys and credentials required to access connected databases, potentially setting up for supply chain attacks. Within 48 hours of the vulnerability being publicly disclosed, Sysdig observed exploitation attempts coming from six unique source IPs. During the initial phase of exploitation, mass scans were observed coming from four IPs, delivering the same payload, likely using an automated scanning tool. The second phase involved a different IP address and moved to active reconnaissance, employing pre-staged infrastructure to deploy payloads after validation. Data exfiltration, Sysdig says, was observed during the third phase, which was sourced from a different IP address. The custom scripts deployed during the second and third phases were seen sending data to the same command-and-control (C&C) server. “This overlap likely indicates a single operator working through multiple proxies or VPS nodes, though it could also reflect a shared exploitation toolkit,” Sysdig says. Related: Critical ScreenConnect Vulnerability Exposes Machine Keys Related: Russian APT Exploits Zimbra Vulnerability Against Ukraine Related: CISA Warns of Attacks Exploiting Recent SharePoint Vulnerability Related: 174 Vulnerabilities Targeted by RondoDox Botnet Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Russian APT Exploits Zimbra Vulnerability Against UkraineRaven Emerges From Stealth With $20 Million in Funding‘DarkSword’ iOS Exploit Kit Used by State-Sponsored Hackers, Spyware VendorsEU Sanctions Chinese, Iranian Firms Supporting Hacking OperationsManifold Raises $8 Million for AI Detection and ResponseApple Debuts Background Security Improvements With Fresh WebKit PatchesTech Giants Invest $12.5 Million in Open Source SecurityRobotic Surgery Giant Intuitive Discloses Cyberattack Latest News Aisuru and Kimwolf DDoS Botnets Disrupted in International OperationOasis Security Raises $120 Million for Agentic Access Management1stProtect Emerges From Stealth With $20 Million in FundingCritical ScreenConnect Vulnerability Exposes Machine KeysPrivacy Platform Cloaked Raises $375M to Expand Enterprise ReachIran Readied Cyberattack Capabilities for Response Prior to Epic FuryMarquis Data Breach Affects 672,000 IndividualsSecurity Firm Aura Discloses Data Breach Impacting 900,000 Records Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveSecurityBridge has promoted Holger Hügel to Chief Technology Officer.Armis has appointed Simon Mouyal as Chief Marketing Officer.Omada has named Jakob H. Kraglund as Chief Executive Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email
Indicators of Compromise
- cve — CVE-2026-33017
- malware — Langflow RCE exploit toolkit