A critical vulnerability in Langflow, the popular open-source AI workflow platform, has been actively exploited within just 20 hours of its public disclosure—before any proof-of-concept code was even available. The rapid weaponization highlights the shrinking window defenders have to patch critical flaws.
The Vulnerability: CVE-2026-33017
Tracked as CVE-2026-33017 with a CVSS score of 9.3, the flaw combines missing authentication with code injection to enable unauthenticated remote code execution (RCE). The vulnerability affects all versions of Langflow through 1.8.1.
According to Langflow’s security advisory, the vulnerable endpoint /api/v1/build_public_tmp/{flow_id}/flow allows building public flows without requiring authentication. When an attacker supplies malicious data via the optional data parameter, the endpoint passes attacker-controlled Python code directly to exec() with zero sandboxing.
“This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution.”
Exploitation Timeline: 20 Hours
Cloud security firm Sysdig observed the first exploitation attempts targeting CVE-2026-33017 in the wild within 20 hours of the advisory’s publication on March 17, 2026—remarkably, without any public PoC code available.
“Attackers built working exploits directly from the advisory description and began scanning the internet for vulnerable instances,” Sysdig reported. The exfiltrated information included keys and credentials, providing access to connected databases and potential software supply chain compromise.
Attack Progression
Threat actors rapidly evolved their techniques:
- Initial Phase: Automated scanning for vulnerable Langflow instances
- Validation: Custom Python scripts to extract
/etc/passwd - Payload Delivery: Next-stage payload hosted on attacker infrastructure (173.212.205[.]251:8443)
- Credential Harvesting: Enumeration of configuration files, databases, and extraction of .env files containing secrets
“This is an attacker with a prepared exploitation toolkit moving from vulnerability validation to payload deployment in a single session,” Sysdig noted.
Why It Matters
This attack demonstrates several critical trends:
Time-to-Exploit Compression: The median time from vulnerability disclosure to active exploitation has collapsed from 771 days in 2018 to just hours in 2024-2026. According to Rapid7’s 2026 Global Threat Landscape Report, the median time from publication to CISA KEV inclusion dropped from 8.5 days to just five days over the past year.
AI Workloads Under Attack: AI platforms like Langflow are increasingly targeted because they have access to valuable data, integrate within software supply chains, and often lack mature security safeguards.
Defenders Are Outpaced: With organizations taking approximately 20 days to deploy patches while threat actors build working exploits in hours, the window of exposure is dangerously wide.
Connection to Previous Langflow Vulnerability
CVE-2026-33017 is related to but distinct from CVE-2025-3248 (CVSS 9.8), another critical Langflow bug that abused a different endpoint (/api/v1/validate/code) for unauthenticated code execution. That vulnerability has also been under active exploitation per CISA.
Security researcher Aviral Srivastava, who discovered CVE-2026-33017, explained that both vulnerabilities share the same root cause—the dangerous use of exec() without sandboxing—but exploit different attack surfaces.
Mitigation Recommendations
Organizations using Langflow should:
- Update immediately to development version 1.9.0.dev8 or later when stable release is available
- Audit environment variables and secrets on any publicly exposed Langflow instance
- Rotate keys and database passwords as a precautionary measure
- Monitor for outbound connections to unusual callback services
- Restrict network access to Langflow instances using firewall rules or a reverse proxy with authentication
Source: The Hacker News / Sysdig
