TP-2026-0049 critical Under Review C

Langflow AI Platform Unauthenticated RCE (CVE-2026-33017) Exploited Within 20 Hours

Date March 17, 2026

Attack Type zero-day-exploitation Sector Technology / AI Infrastructure

Geography Global

Threat Actor Unknown

Attribution A4

CVEs CVE-2026-33017

Confidence C

Summary

CVE-2026-33017 is an unauthenticated remote code execution vulnerability in Langflow’s public flow build functionality. The GitHub security advisory published on March 17, 2026 described a flaw that allowed attacker-supplied Python code in flow definitions to execute server-side without authentication.

Sysdig said it observed the first exploitation attempts roughly 20 hours after the advisory became public and recorded subsequent credential-harvesting behavior against exposed honeypot instances. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on March 25, and Langflow’s release page later showed 1.9.0 as the fixed release line in April.

Technical Analysis

The vulnerability affects Langflow’s public flow build endpoint and stems from server-side execution of attacker-controlled Python embedded in flow data. Because the endpoint was designed for public flow building, attackers did not need prior authentication to reach it.

Sysdig reported that early exploit activity used single HTTP POST requests to execute Python, verify code execution, and then read environment variables or sensitive files from exposed instances. The public sources reviewed here support code execution, secret access, and rapid exploitation, but they do not support attributing the activity to a named actor or assuming every vulnerable instance suffered the same post-exploitation steps.

Attack Chain

Stage 1: Exposure of Public Flow Build Endpoint

Attackers identified internet-exposed Langflow instances with the public flow build functionality reachable without authentication.

Stage 2: Code Injection via Flow Definition

The GitHub advisory described how a crafted request could place attacker-controlled Python into a flow definition and trigger server-side execution.

Stage 3: Reconnaissance and Secret Harvesting

Sysdig observed attackers using the resulting execution to run basic system commands, enumerate environment variables, and search for sensitive files such as .env data and database artifacts.

Stage 4: Follow-on Access Risk

Any secrets exposed through the compromised Langflow process created follow-on risk for connected services such as model-provider APIs, databases, and cloud accounts.

Impact Assessment

The most immediate impact is exposure of credentials and runtime secrets reachable by the Langflow process. Sysdig specifically described attackers harvesting environment variables and sensitive files from vulnerable instances, creating risk to AI-service accounts, databases, and other integrations configured on those systems.

The public reporting also supports rapid exploitation pressure against exposed Langflow deployments. It does not, however, justify broad claims about global victim counts, named actors, or uniform downstream compromise across all deployments.

Attribution

No named threat actor was confirmed in the cited public sources. Sysdig observed multiple source IPs and varied exploit behavior, but its reporting did not assign the activity to a known intrusion set.

This exploitation activity should therefore remain unattributed until a primary-source investigation links it to a confirmed actor.

Timeline

2026-03-17 — GitHub Advisory Published

The GitHub security advisory for GHSA-vwmf-pq79-vjvx publicly described CVE-2026-33017 and the vulnerable public flow build mechanism.

2026-03-18 — First Exploitation Observed

Sysdig observed the first exploitation attempts against its honeypot fleet, about 20 hours after the advisory publication.

2026-03-25 — CISA KEV Listing Added

CISA added CVE-2026-33017 to the Known Exploited Vulnerabilities catalog with an accelerated federal remediation timeline.

2026-04-14 — Fixed Release Line Listed

Langflow’s release page showed version 1.9.0 in the fixed release line available to users.

Remediation & Mitigation

The public guidance supports immediately restricting or disabling exposure of the public flow build endpoint, rotating all secrets reachable by the Langflow process, and reviewing logs for suspicious POST requests and post-exploitation activity. Defenders should treat any exposed instance as a potential credential-exposure event until they verify otherwise.

Update Langflow to a fixed release and re-evaluate how secrets are stored around AI workflow infrastructure. The public reporting repeatedly highlights that environment variables and adjacent configuration files were high-value targets once code execution was achieved.

Sources & References

GitHub: Langflow security advisory GHSA-vwmf-pq79-vjvx — GitHub, 2026-03-17
Sysdig: CVE-2026-33017 - How attackers compromised Langflow AI pipelines in 20 hours — Sysdig, 2026-03-19
CISA: Known Exploited Vulnerabilities Catalog — CISA, 2026-03-25
GitHub: Releases - langflow-ai/langflow — GitHub, 2026-04-14

zero-day rce ai langflow cisa-kev unauthenticated python api-key-theft credential-theft rapid-exploitation