CISA: New Langflow flaw actively exploited to hijack AI workflows - BleepingComputer

CISA: New Langflow flaw actively exploited to hijack AI workflows By Bill Toulas March 26, 2026 03:17 PM 1 The Cybersecurity and Infrastructure Security Agency (CISA) is warning that hackers are actively exploiting a critical vulnerability identified as CVE-2026-33017, which affects the Langflow framework for building AI agents. The security issue received a critical score of 9.3 out of 10 and can be leveraged for remote code execution, allowing threat actors to build public flows without authentication. The agency added the issue to the list of Known Exploited Vulnerabilities, describing it as a code injection vulnerability. Researchers at application security company Sysdig claim that hackers started exploiting CVE-2026-33017 on March 19, about 20 hours after the vulnerability advisory became public. No public proof-of-concept (PoC) exploit code existed at the time, and Endor Labs believes that attackers built exploits directly from the information included in the advisory. Automated scanning activity began in 20 hours, followed by exploitation using Python scripts in 21 hours, and data (.env and .db files) harvesting in 24 hours. Langflow is a popular open-source visual framework for building AI workflows with 145,000 stars on GitHub. It provides a drag-and-drop interface for connecting nodes into executable pipelines, along with a REST API for running them programmatically. The tool has widespread adoption across the AI development ecosystem, making it an attractive target for hackers. In May 2025, CISA issued another warning about active exploitation in Langflow, targeting CVE-2025-3248, a critical API endpoint flaw that allows unauthenticated RCE and potentially leads to full server control. The most recent flaw, CVE-2026-33017, lets attackers execute arbitrary Python code impacts versions 1.8.1 and earlier of Langflow, and could be exploited via a single crafted HTTP request due to unsandboxed flow execution. CISA did not mark the flaw as exploited by ransomware actors, but gave federal agencies until April 8 to apply the security updates or mitigations, or stop using the product. System administrators are recommended to upgrade to Langflow version 1.9.0 or later, which addresses the security problem, or disable/restrict the vulnerable endpoint. Sysdig also advised not to expose Langflow directly to the internet, to monitor outbound traffic, and to rotate API keys, database credentials, and cloud secrets when suspicious activity is detected. CISA’s deadline formally applies to organizations covered by Binding Operational Directive (BOD) 22-01, but private sector companies, state and local governments, and other non-FCEB entities are also advised to treat it as a benchmark and respond accordingly. 99% of What Mythos Found Is Still Unpatched. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Claim Your Spot Related Articles: Max severity Flowise RCE vulnerability now exploited in attacks 13-year-old bug in ActiveMQ lets hackers remotely execute commands CISA gives feds four days to patch Ivanti flaw exploited as zero-day Palo Alto Networks firewall zero-day exploited for nearly a month Weaver E-cology critical bug exploited in attacks since March