AI Security — March 25, 2026
Langflow RCE Exploited in 20 Hours.
No PoC Needed.
CISA added Langflow CVE-2026-33017 to its Known Exploited Vulnerabilities catalog. Attackers built working exploits from the advisory alone within 20 hours. The flaw gives unauthenticated remote code execution on any exposed Langflow instance.
Sources: CISA KEV catalog; CVE-2026-33017 NVD entry; Langflow security advisory; Checkmarx threat analysis; March 2026.
On March 17, 2026, a critical unauthenticated remote code execution vulnerability (CVE-2026-33017, CVSS 9.3) was disclosed in Langflow, the open-source visual framework for building AI agents and RAG pipelines with over 145,000 GitHub stars. Within 20 hours, Sysdig’s honeypots captured the first exploitation attempts. No public proof-of-concept code existed. Attackers built working exploits directly from the advisory description. By the 25-hour mark, the first successful data exfiltration was confirmed: attackers harvested OpenAI, Anthropic, and AWS API keys from compromised instances. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on March 25, requiring federal agencies to patch by April 8.
This is the second critical RCE in Langflow in under a year. CVE-2025-3248 (CVSS 9.8), disclosed in early 2025, exploited the same underlying mechanism: Python’s exec() function called on user-supplied code without sandboxing. The fix for the first vulnerability was structurally incapable of preventing the second one. That pattern (patch the endpoint, miss the architecture) is the real story.
How the Vulnerability Works
CVE-2026-33017 affects the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, designed to let unauthenticated users build public flows. The endpoint accepts flow data containing Python code in node definitions, which Langflow executes server-side via exec() without sandboxing, authentication, or input validation. A single HTTP POST request with malicious Python embedded in the JSON payload achieves immediate remote code execution. The prerequisites are minimal: the target instance needs at least one public flow (standard for any Langflow deployment serving a chatbot), and the attacker needs the flow’s UUID, which is discoverable from shared URLs.
When Langflow’s AUTO_LOGIN is set to true (the default), the attack surface expands further. An attacker can call GET /api/v1/auto_login to obtain a superuser token, create their own public flow, and exploit it. As security researcher Aviral Srivastava, who discovered the flaw on February 26, 2026, told The Hacker News: “One HTTP POST request with malicious Python code in the JSON payload is enough to achieve immediate remote code execution.”
Why It Is the Same Bug Twice
CVE-2025-3248, disclosed in early 2025, exploited the /api/v1/validate/code endpoint. That endpoint accepted arbitrary Python code and passed it to exec() without authentication. The fix added authentication to that specific endpoint. CVE-2026-33017 exploits a different endpoint (/api/v1/build_public_tmp/{flow_id}/flow) that uses the same exec() call at the end of the chain. The difference: this endpoint is designed to be unauthenticated because it serves public flows. Authentication cannot fix it without breaking the feature.
Srivastava found it by searching for the same pattern the first vulnerability used. “I found the same class of vulnerability on a different endpoint. Same codebase. Same exec() call at the end of the chain. Same zero sandboxing.” He tested against Langflow 1.7.3 (the latest stable release at the time). Six runs, six confirmed executions, 100% reproducibility. He reported through Langflow’s GitHub Security Advisory on February 25, 2026. The fix was merged on March 10. A third vulnerability (CVE-2026-33309, CVSS 9.9) was disclosed on March 24, exploiting a path-traversal bug in Langflow’s file upload functionality. All three are fixed in version 1.9.0.
The 20-Hour Attack Timeline
Sysdig’s threat research team documented the attack sequence in detail. At 16:04 UTC on March 18 (approximately 20 hours after the advisory), four IP addresses began sending identical payloads to Langflow honeypots. The identical payloads suggest a single operator using proxied infrastructure rather than multiple independent attackers. The initial payload executed id, base64-encoded the output, and sent it to an interactsh callback server to probe for vulnerable instances.
Within hours, the attacker escalated to credential harvesting: dumping environment variables (which in a typical Langflow deployment contain database connection strings, API keys, and cloud credentials), enumerating the filesystem for .db and .env files, and exfiltrating their contents. The attacker had pre-staged a dropper URL (http://173.212.205.251:8443/z) ready for payload deployment. This is not opportunistic scanning. This is a prepared exploitation toolkit moving from vulnerability validation to payload deployment in a single session.
Why AI Orchestration Tools Are Uniquely Dangerous
What This Means for AI Infrastructure Security
Langflow is not uniquely vulnerable. It is representative of a class of AI orchestration tools (LangChain, LlamaIndex, CrewAI, AutoGen) that execute user-defined code as a core feature. Any tool that runs arbitrary Python in response to API requests faces the same architectural tension: flexibility for developers versus security for production deployments. The Langflow incidents demonstrate that endpoint-level fixes are insufficient when the underlying architecture relies on unsandboxed code execution.
Sysdig recommends behavior-based runtime detection rather than CVE-specific signatures. The 20-hour exploitation timeline means signature-based detection will always arrive after the attackers. Organizations running any AI orchestration framework should audit their network exposure (is the instance accessible from the internet?), rotate all credentials stored in the orchestration tool’s environment, implement runtime monitoring that detects anomalous process execution, and restrict network egress to prevent credential exfiltration even if the instance is compromised.
The Langflow incidents are a case study in how AI workloads are becoming priority targets. Attackers are not interested in the AI model itself. They are interested in the credentials the AI pipeline stores: the API keys, database passwords, and cloud tokens that agentic workflows need to function. The AI orchestration layer is the new attack surface.
Sources: Sysdig Threat Research, March 2026; The Hacker News; Infosecurity Magazine; SC Media; Barrack AI technical analysis; CSA Labs research note; CISA KEV catalog; Obsidian Security (CVE-2025-34291 analysis).
The Broader Pattern: Time-to-Exploit Compression
Rapid7’s 2026 Global Threat Landscape Report documented what Langflow illustrates in a single incident. The median time from vulnerability publication to inclusion in CISA’s KEV catalog dropped from 8.5 days to five days over the past year. By 2023, 44% of exploited vulnerabilities were weaponized within 24 hours of disclosure, and 80% of public exploits appeared before the official advisory was published. Langflow’s 20-hour window is not an outlier. It is the new normal.
The advisory for CVE-2026-33017 contained enough detail (the vulnerable endpoint path and the mechanism for code injection via flow node definitions) for attackers to build a working exploit without additional research. Advisory quality creates a dual-use problem: the same detail that helps defenders understand the risk helps attackers construct the exploit. There is no resolution to this tension. More detail means faster patching and faster exploitation. The only variable defenders control is patch deployment speed, and at 20 days median, that speed is not competitive with a 20-hour exploit development cycle.