A critical vulnerability in Langflow, a popular open-source AI workflow automation platform, has been actively exploited in the wild within just 20 hours of public disclosure—before any proof-of-concept code was even available.
The Vulnerability
Tracked as CVE-2026-33017 with a CVSS score of 9.3, the flaw combines missing authentication with code injection to enable unauthenticated remote code execution. The vulnerable endpoint /api/v1/build_public_tmp/{flow_id}/flow allows building public flows without authentication, but critically accepts attacker-controlled flow data containing arbitrary Python code that gets passed directly to exec() with zero sandboxing.
All versions of Langflow through 1.8.1 are affected. The fix is available in development version 1.9.0.dev8.
Lightning-Fast Weaponization
According to Sysdig’s research, attackers began exploitation attempts within 20 hours of the advisory publication on March 17, 2026—building working exploits directly from the advisory description without waiting for public PoC code.
“Exfiltrated information included keys and credentials, which provided access to connected databases and potential software supply chain compromise,” Sysdig reported.
Attack Chain Observed
Threat actors moved rapidly from automated scanning to sophisticated attacks:
- Extraction of
/etc/passwdcontents - Delivery of next-stage payloads from
173.212.205[.]251:8443 - Harvesting environment variables and configuration files
- Enumeration of databases
- Extraction of
.envfile contents containing secrets
Exploitation is trivially simple—a single HTTP POST request with malicious Python code in the JSON payload achieves immediate RCE with full server process privileges.
Why This Matters
This attack demonstrates a disturbing pattern in AI security:
- Shrinking exploitation timelines: The 20-hour window aligns with Rapid7’s 2026 Global Threat Landscape Report showing median time-to-exploit dropping to hours
- AI as high-value target: AI workloads attract attackers due to their access to valuable data and integration within software supply chains
- Inadequate security safeguards: Many AI platforms prioritize functionality over security, using dangerous patterns like
exec()without sandboxing
“Critical vulnerabilities in popular open-source tools are weaponized within hours of disclosure, often before public PoC code is even available,” Sysdig concluded.
Recommended Actions
- Update to Langflow 1.9.0.dev8 or later immediately
- Audit environment variables and secrets on any publicly exposed instances
- Rotate all keys and database passwords
- Monitor for outbound connections to unusual callback services
- Restrict network access using firewall rules or authenticated reverse proxy
Source: The Hacker News | Sysdig
