CVE‑2026‑33017 in Langflow Actively Abused Within 20 Hours of Public Release

A critical vulnerability affecting Langflow is already being actively exploited less than 20 hours after its public disclosure, underscoring how quickly attackers are able to weaponize newly revealed security flaws.

The issue, identified as CVE‑2026‑33017 and assigned a CVSS score of 9.3, stems from a lack of authentication combined with a code injection weakness that can lead to unauthenticated remote code execution (RCE).

According to Langflow’s security advisory, the flaw resides in the
POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, which allows public flows to be built without any authentication checks.

“When the optional data parameter is provided, the endpoint processes attacker‑supplied flow definitions instead of retrieving the legitimate flow data stored in the database,” Langflow explained. “Because these definitions may contain arbitrary Python code embedded in node configurations, and because that code is passed directly to exec() without sandboxing, the result is unauthenticated remote code execution.”

The vulnerability affects all versions of Langflow up to and including 1.8.1. A fix has been introduced in the development release 1.9.0.dev8.

Security researcher Aviral Srivastava, who discovered and responsibly disclosed the flaw on February 26, 2026, emphasized that CVE‑2026‑33017 is separate from CVE‑2025‑3248 (CVSS 9.8) another severe Langflow vulnerability that abused the /api/v1/validate/code endpoint to execute arbitrary Python code without authentication. That earlier flaw has since been listed as actively exploited by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Srivastava explained that while both vulnerabilities ultimately rely on the same unsafe exec() call, CVE‑2026‑33017 occurs specifically within the public flow build endpoint.

“This endpoint is intentionally unauthenticated because it serves public flows,” he said. “Simply adding authentication would break that functionality. The correct fix is to completely eliminate the data parameter from the public endpoint, ensuring that public flows can only execute server‑side stored definitions and never attacker‑provided content.”

If successfully exploited, the flaw allows an attacker to achieve full code execution privileges with a single HTTP request. From there, a threat actor could access environment variables, read or modify files, implant backdoors, delete sensitive data, or establish a reverse shell on the affected server.

Srivastava noted that exploitation is “extremely trivial,” requiring nothing more than a crafted curl command. A single POST request containing malicious Python code in the JSON payload is sufficient to trigger immediate RCE.

Cloud security firm Sysdig reported observing real‑world exploitation attempts targeting CVE‑2026‑33017 within 20 hours of the advisory’s release on March 17, 2026.

“At the time, no public proof‑of‑concept code was available,” Sysdig said. “Attackers derived working exploits directly from the advisory and immediately began scanning the internet for exposed Langflow instances. Stolen data included credentials and keys that enabled access to connected databases and raised the risk of downstream supply‑chain compromise.”

Researchers also observed attackers transitioning from broad automated scans to targeted exploitation using custom Python scripts. These scripts were used to extract data from /etc/passwd and deploy a follow‑on payload hosted at 173.212.205[.]251:8443. Additional activity from the same infrastructure suggests a comprehensive credential‑harvesting campaign involving environment variables, configuration files, databases, and .env files.

Sysdig said this behavior points to deliberate preparation by the attackers, who appeared ready to deploy malware immediately after identifying a vulnerable target. “This is not opportunistic scanning,” the company noted. “It reflects a threat actor equipped with a mature exploitation toolkit capable of moving from vulnerability validation to payload delivery in a single session.” The identity of the attackers remains unknown.

The extremely short window between disclosure and exploitation reflects a broader trend across the threat landscape. Median time‑to‑exploit (TTE) has fallen dramatically from 771 days in 2018 to just hours by 2024.

Data from Rapid7’s 2026 Global Threat Landscape Report shows that the median time between vulnerability disclosure and inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog dropped from 8.5 days to five days over the past year.

“This compression in timelines creates a serious defensive gap,” the report noted. “Organizations typically take around 20 days to deploy patches, leaving them exposed long after attackers have operationalized exploits. Adversaries monitor the same advisory channels as defenders and often move faster than organizations can test and remediate vulnerabilities. Security teams must fundamentally rethink their vulnerability management strategies.”

To reduce risk, users are strongly advised to upgrade to a patched version immediately, review exposed Langflow instances for compromised secrets, rotate API keys and database credentials, monitor for suspicious outbound connections, and restrict access using firewall rules or authenticated reverse proxies.

The exploitation of CVE‑2025‑3248 and CVE‑2026‑33017 highlights how AI platforms are increasingly attractive targets due to their access to sensitive data, integration into software supply chains, and historically weak security controls.

“CVE‑2026‑33017 exemplifies a growing norm rather than an exception,” Sysdig concluded. “Critical vulnerabilities in widely used open‑source tools are now being exploited within hours of disclosure—often before any public exploit code exists.”