Critical Langflow Vulnerability Exploited Hours After Public Disclosure

Threat actors started exploiting a critical Langflow vulnerability roughly 20 hours after public disclosure, Sysdig reports. Langflow is a popular open source framework for creating and deploying AI agents and workflows using a visual builder interface, with over 145,000 GitHub stars and more than 8,000 forks. On March 17, Langflow version 1.8.1 was released with patches for a critical vulnerability leading to unauthenticated remote code execution (RCE). Tracked as CVE-2026-33017 (CVSS score of 9.3), the issue impacts a POST endpoint that allows developers to create public flows without requiring authentication. Because of the bug, when the optional ‘data’ parameter is supplied, the endpoint uses flow data that an attacker can supply in node definitions in the form of Python code, instead of the flow data stored in the database. The code is executed without sandboxing, leading to RCE without authentication. According to Sysdig, a single HTTP request is required to trigger the bug, and threat actors started exploiting it hours after public disclosure. “This is notable because no public PoC repository existed on GitHub at the time of the first attack. The advisory itself contained enough detail (the vulnerable endpoint path and the mechanism for code injection via flow node definitions) for attackers to construct a working exploit without additional research,” Sysdig says. Threat actors have been exploiting CVE-2026-33017 to steal keys and credentials required to access connected databases, potentially setting up for supply chain attacks. Within 48 hours of the vulnerability being publicly disclosed, Sysdig observed exploitation attempts coming from six unique source IPs. During the initial phase of exploitation, mass scans were observed coming from four IPs, delivering the same payload, likely using an automated scanning tool. The second phase involved a different IP address and moved to active reconnaissance, employing pre-staged infrastructure to deploy payloads after validation. Data exfiltration, Sysdig says, was observed during the third phase, which was sourced from a different IP address. The custom scripts deployed during the second and third phases were seen sending data to the same command-and-control (C&C) server. “This overlap likely indicates a single operator working through multiple proxies or VPS nodes, though it could also reflect a shared exploitation toolkit,” Sysdig says. Related: Critical ScreenConnect Vulnerability Exposes Machine Keys Related: Russian APT Exploits Zimbra Vulnerability Against Ukraine Related: CISA Warns of Attacks Exploiting Recent SharePoint Vulnerability Related: 174 Vulnerabilities Targeted by RondoDox Botnet WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Security Firm Aura Discloses Data Breach Impacting 900,000 Records Russian APT Exploits Zimbra Vulnerability Against Ukraine Raven Emerges From Stealth With $20 Million in Funding ‘DarkSword’ iOS Exploit Kit Used by State-Sponsored Hackers, Spyware Vendors EU Sanctions Chinese, Iranian Firms Supporting Hacking Operations Manifold Raises $8 Million for AI Detection and Response Apple Debuts Background Security Improvements With Fresh WebKit Patches Tech Giants Invest $12.5 Million in Open Source Security Latest News Cape Raises $100 Million for Protection Against Cellular Security Threats Navia Data Breach Impacts 2.7 Million Thousands of Magento Sites Hit in Ongoing Defacement Campaign Allure Security Raises $17 Million for Online Brand Protection Aisuru and Kimwolf DDoS Botnets Disrupted in International Operation Oasis Security Raises $120 Million for Agentic Access Management 1stProtect Emerges From Stealth With $20 Million in Funding Critical ScreenConnect Vulnerability Exposes Machine Keys Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move Kai has named Alfredo Hickman as Chief Information Security Officer. Gleb Reznik is replacing Fred Gibbins as the CISO at American Express. HITRUST has appointed Sean Foster as CRO and Marc Solomon as CMO. More People On The Move Expert Insights The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose A Critical Flaw In Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat As Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How To Eliminate The Technical Debt Of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Email