Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure

Critical Langflow Flaw CVE-2026-33017 Triggers Attacks within 20 Hours of Disclosure Ravie LakshmananMar 20, 2026Vulnerability / Artificial Intelligence A critical security flaw impacting Langflow has come under active exploitation within 20 hours of public disclosure, highlighting the speed at which threat actors weaponize newly published vulnerabilities. The security defect, tracked as CVE-2026-33017 (CVSS score: 9.3), is a case of missing authentication combined with code injection that could result in remote code execution. "The POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication," according to Langflow's advisory for the flaw. "When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution." The vulnerability affects all versions of the open-source artificial intelligence (AI) platform prior to and including 1.8.1. It has been currently addressed in the development version 1.9.0.dev8. Security researcher Aviral Srivastava, who discovered and reported the flaw on February 26, 2026, said it's distinct from CVE-2025-3248 (CVSS score: 9.8), another critical bug in Langflow that abused the /api/v1/validate/code endpoint to execute arbitrary Python code without requiring any authentication. It has since come under active exploitation, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA). "CVE-2026-33017 is in /api/v1/build_public_tmp/{flow_id}/flow," Srivastava explained, adding that the root cause stems from the use of the same exec() call as CVE-2025-3248 at the end of the chain. "This endpoint is designed to be unauthenticated because it serves public flows. You can't just add an auth requirement without breaking the entire public flows feature. The real fix is removing the data parameter from the public endpoint entirely, so public flows can only execute their stored (server-side) flow data and never accept attacker-supplied definitions." Successful exploitation could allow an attacker to send a single HTTP request and obtain arbitrary code execution with the full privileges of the server process. With this privilege in place, the threat actor can read environment variables, access or modify files to inject backdoors or erase sensitive data, and even obtain a reverse shell. Srivastava told The Hacker News that exploiting CVE-2026-33017 is "extremely easy" and can be triggered by means of a weaponized curl command. One HTTP POST request with malicious Python code in the JSON payload is enough to achieve immediate remote code execution, he added. Cloud security firm Sysdig said it observed the first exploitation attempts targeting CVE-2026-33017 in the wild within 20 hours of the advisory's publication on March 17, 2026. "No public proof-of-concept (PoC) code existed at the time," Sysdig said. "Attackers built working exploits directly from the advisory description and began scanning the internet for vulnerable instances. Exfiltrated information included keys and credentials, which provided access to connected databases and potential software supply chain compromise." Threat actors have also been observed moving from automated scanning to leveraging custom Python scripts in order to extract data from "/etc/passwd" and deliver an unspecified next-stage payload hosted on "173.212.205[.]251:8443." Subsequent activity from the same IP address points in a thorough credential harvesting operation that involves gathering environment variables, enumerating configuration files and databases, and extracting the contents of .env files. This suggests planning on part of the threat actor by staging the malware to be delivered once a vulnerable target is identified. "This is an attacker with a prepared exploitation toolkit moving from vulnerability validation to payload deployment in a single session," Sysdig noted. It's currently not known who is behind the attacks. The 20-hour window between advisory publication and first exploitation aligns with an accelerating trend that has seen the median time-to-exploit (TTE) shrinking from 771 days in 2018 to just hours in 2024. According to Rapid7's 2026 Global Threat Landscape Report, the median time from publication of a vulnerability to its inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog dropped from 8.5 days to five days over the past year. "This timeline compression poses serious challenges for defenders. The median time for organizations to deploy patches is approximately 20 days, meaning defenders are exposed and vulnerable for far too long," it added. "Threat actors are monitoring the same advisory feeds that defenders use, and they are building exploits faster than most organizations can assess, test, and deploy patches. Organizations must completely reconsider their vulnerability programs to meet reality." Users are advised to update to the latest patched version as soon as possible, audit environment variables and secrets on any publicly exposed Langflow instance, rotate keys and database passwords as a precautionary measure, monitor for outbound connections to unusual callback services, and restrict network access to Langflow instances using firewall rules or a reverse proxy with authentication. The exploration activity targeting CVE-2025-3248 and CVE-2026-33017 underscores how AI workloads are landing in attackers' crosshairs owing to their access to valuable data, integration within the software supply chain, and insufficient security safeguards. "CVE-2026-33017 [...] demonstrates a pattern that is becoming the norm rather than the exception: critical vulnerabilities in popular open-source tools are weaponized within hours of disclosure, often before public PoC code is even available," Sysdig concluded. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  artificial intelligence, Cloud security, cybersecurity, Open Source, remote code execution, Threat Intelligence, Vulnerability Trending News Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Researchers Trick Perplexity's Comet AI Browser Into Phishing Scam in Under Four Minutes CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Popular Resources Get the 2026 ASV Report to Benchmark Top Validation Tools Guide - Discover How to Validate AI Risks With Adversarial Testing Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Fix Security Noise by Focusing Only on Validated Exposures