Critical Flaw in Langflow AI Platform Under Attack

VULNERABILITIES & THREATS CYBER RISK APPLICATION SECURITY CYBERATTACKS & DATA BREACHES NEWS Critical Flaw in Langflow AI Platform Under Attack Threats actors pounced on the code injection vulnerability within hours of its disclosure, demonstrating that organizations have little time to address critical bugs. Rob Wright,Senior News Director,Dark Reading March 26, 2026 2 Min Read SOURCE: CAGKAN SAYIN VIA ALAMY STOCK PHOTO A critical vulnerability in Langflow, an open source framework for AI agent development, has been exploited in the wild shortly after its initial disclosure. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-33017, a critical code injection flaw, to its Known Exploited Vulnerabilities (KEV) catalog on Wednesday. CVE-2026-33017, which received a 9.8 CVSS score, was first disclosed on March 17, and reports of threat activity emerged soon after. In a blog post last week, cloud security vendor Sysdig said it observed exploitation attempts less than 24 hours after the disclosure. This was notable, according to Sysdig researchers, because no public proof-of-concept (PoC) exploit was available and the attackers were able to use information in the advisory to quickly build their own working exploits. Sysdig noted that such activity, where vulnerabilities in open source tools are exploited within hours of disclosure, is becoming the norm rather than the exception. "Furthermore, AI workloads are increasingly falling into threat actors’ crosshairs as they offer high-value data, software supply chain access, and often lack robust security," the company said. Related:Automotive Cybersecurity Threats Grow in Era of Connected, Autonomous Vehicles The Risks Posed by CVE-2026-33017 Langflow is a popular low code framework for building and deploying AI agents. CVE-2026-33017 stems from an issue with the POST "/api/v1/build_public_tmp/{flow_id}/flow" endpoint, which allows unauthorized users to build public flows without authentication. According to Langflow's advisory on GitHub, if a threat actor supplies the optional "data" parameter, the endpoint will use attacker-controlled flow data that contains arbitrary Python code in node definitions instead of the stored flow data from the database. The code is passed to "exec()" with no sandboxing, which gives remote code execution to unauthenticated users. Langflow noted that this vulnerability is distinct from CVE-2025-3248, a similar and easy-to-exploit flaw that was exploited by threat actors last year to spread the Flodrix botnet. Sysdig researchers noted that Langflow's advisory for CVE-2026-33017 contained enough details, such as the vulnerable endpoint path and code injection mechanism, for threat actors to build a working exploit without additional research.  "For defenders, the practical takeaway is that the window between "advisory publication" and "active exploitation" is now measured in hours, not days or weeks," Sysdig said.  The researchers also warned that threat actors who exploited CVE-2026-33017 were able to extract sensitive data from vulnerable Langflow instances, such as keys and credentials. And because Langflow instances are configured with API keys for OpenAI, Anthropic, and AWS, among others, attackers can potentially move laterally to connected databases and services. Related:Patch Now: Oracle's Fusion Middleware Has Critical RCE Flaw Langflow said version 1.9.0 of the framework mitigated the vulnerability; users should upgrade to the fixed version as soon as possible. In its blog post, Sysdig researchers warned that organizations operating on scheduled patch cycles to address critical flaws will be beaten to the punch by attackers. The company highlighted defensive measures such as runtime detection, network segmentation, and rapid response capabilities to bridge "the gap between disclosure and remediation." About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like VULNERABILITIES & THREATS Cheap Hardware Module Bypasses AMD, Intel Memory Encryption by Rob Wright NOV 25, 2025 VULNERABILITIES & THREATS Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs by Jai Vijayan, Contributing Writer NOV 11, 2025 VULNERABILITIES & THREATS AI Agents Fail in Novel Ways, Put Businesses at Risk by Robert Lemos, Contributing Writer MAY 07, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE