The critical security flaw affecting Langflow was being actively exploited within 20 hours of publication, highlighting the speed with which threat actors weaponize newly disclosed vulnerabilities.
This security flaw, tracked as CVE-2026-33017 (CVSS score: 9.3), could result in remote code execution through a combination of missing authentication and code injection.
According to Langflow’s advisory for this flaw, “The POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows you to build public flows without requiring authentication.”
“If the optional data parameter is specified, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in the node definition) instead of flow data stored in the database. This code is passed to exec() without sandboxing, resulting in unauthenticated remote code execution.”
This vulnerability affects all versions of open source artificial intelligence (AI) platforms prior to 1.8.1. Currently supported in development version 1.9.0.dev8.
Security researcher Aviral Srivastava, who discovered and reported the flaw on February 26, 2026, said this is different from CVE-2025-3248 (CVSS score: 9.8), another critical Langflow bug that exploits the /api/v1/validate/code endpoint to execute arbitrary Python code without requiring authentication. Since then, the vulnerability has been actively exploited, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
“CVE-2026-33017 is located in /api/v1/build_public_tmp/{flow_id}/flow,” Srivastava explained, adding that the root cause is the use of the same exec() call as CVE-2025-3248 at the end of the chain.
“Since this endpoint serves a public flow, it is designed to be unauthenticated. You cannot add authentication requirements without breaking the entire public flow functionality. The real fix is to remove the data parameter from the public endpoint entirely. So the public flow can only run on stored (server-side) flow data, and any attacker-specified definitions will never be accepted.”
A successful exploit could allow the attacker to execute arbitrary code with the full privileges of the server process by sending a single HTTP request. With this permission in place, a threat actor can read environment variables, access or modify files, insert backdoors, erase sensitive data, or even obtain a reverse shell.
Cloud security company Sysdig said it observed the first exploitation attempt targeting CVE-2026-33017 in the wild within 20 hours of publication of the advisory on March 17, 2026.
“At that time, there was no publicly available proof-of-concept (PoC) code,” Sysdig said. “The attackers built an exploit that worked directly from the advisory description and began scanning the internet for vulnerable instances. The exposed information included keys and credentials, providing access to connected databases and possible compromise of the software supply chain.”
Threat actors have also been observed moving from automated scanning to utilizing custom Python scripts to extract data from ‘/etc/passwd’ and deliver the next stage payload hosted at ‘173.212.205’.[.]251:8443″ to facilitate credential collection. This suggests a plan to attack some of the attackers by configuring them to deliver malware in stages once vulnerable targets are identified.
“This is an attacker with a prepared exploitation toolkit that goes from validating the vulnerability to deploying the payload in a single session,” Sysdig noted. It is currently unknown who is behind the attack.
The 20-hour timeframe from publication of an advisory to first exploit is consistent with an accelerating trend of median time-to-exploit (TTE) decreasing from 771 days in 2018 to just a few hours in 2024.
According to Rapid7’s 2026 Global Threat Landscape Report, the median time between a vulnerability being disclosed and appearing in CISA’s Known Exploited Vulnerabilities (KEV) catalog has decreased from 8.5 days to 5 days over the past year.
“This compressed timeline poses serious challenges for defenders. The median time for organizations to deploy patches is approximately 20 days, meaning defenders remain exposed and vulnerable for far too long.” “Adversaries are monitoring the same advisory feeds that defenders use and are building exploits faster than most organizations can assess, test, and deploy patches. Organizations must completely rethink their vulnerability programs to keep up with reality.”
We recommend that users update to the latest patched version as soon as possible, audit the environment variables and secrets of publicly available Langflow instances, rotate keys and database passwords as a precaution, monitor outbound connections to abnormal callback services, and use firewall rules or authenticated reverse proxies to restrict network access to Langflow instances.
Research efforts targeting CVE-2025-3248 and CVE-2026-33017 highlight how AI workloads are targeted by attackers due to access to valuable data, integration within the software supply chain, and inadequate security safeguards.
“CVE-2026-33017” […] This points to a pattern that is becoming the norm rather than the exception. Critical vulnerabilities in popular open source tools are weaponized within hours of being published, often before public PoC code is available. ” concluded Sysdig.
Source link
