Skip to content
Chimera readability score 0.5515 out of 100, reading level.
Attackers weaponized critical RCE within hours, prompting CISA to add the flaw to its KEV catalog and set an urgent patch deadline. Credit: Shutterstock Attackers have exploited a critical Langflow RCE within hours of disclosure, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to formally flag it for urgent remediation. The flaw, which allows running arbitrary code on vulnerable Langflow instances without credentials, was weaponized within 20 hours of the open-source AI-pipeline tool disclosing it. According to a Sysdig report, crooks started hitting a fleet of honeypot nodes with vulnerable instances across multiple cloud providers and regions right after they went live. Sysdig observed four such attempts within hours of deployment, with one attacker progressing to environment variable exfiltration. “This is notable because no public POC repository existed on GitHub at the time of the first attack,” Sysdig researchers said. “The advisory itself contained enough detail (the vulnerable endpoint path and the mechanism for code injection via flow node definitions) for attackers to construct a working exploit without additional research.” CISA has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch their systems by April 8, 2026. A default setting allows code injection The vulnerability, tracked as CVE-2026-33017, stems from an exposed API endpoint in Langflow, the open-source visual framework for building AI agents and Retrieval-Augmented Generation (RAG) pipelines. The exposure allows attackers to submit malicious workflow data containing embedded Python code. Instead of using trusted data, the application executes this attacker-supplied code without any sandboxing, leading to unauthenticated remote code execution on affected systems, according to an NVD description. “The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code,” the description added. “This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication.” The Code Injection flaw affects Langflow versions up to (excluding) 1.8.2, and has been fixed in v1.9.0. It received a critical CVSS rating of 9.3 out of 10, owing to its “unauthenticated” and simple exploitability, massive AI attack surface, and high impact. Pace of exploit raises concerns Exploitation activity was observed less than a day after the vulnerability became public, which, Sysdig noted, demonstrates threat actors quickly operationalizing new vulnerabilities (probably through automation). Attackers could build a working exploit just from the advisory description and quickly start scanning for flawed instances. “Exfiltrated information included keys and credentials, which provided access to connected databases and potential software supply chain compromise,” Sysdig researchers said. With patch windows collapsing significantly, runtime detection remains a primary and the only option, Sysdig noted. “Every attacker in this campaign followed the same post-exploitation playbook: execute a shell command via Python’s os.popen(), then exfiltrate the output over HTTP,” it said, adding that runtime rules can detect these attempts. The way runtime detection can help is by working on “day zero,” the researchers explained. “These rules do not require a signature for CVE-2026-33017 specifically because they detect the exploitation behavior, not the vulnerability. The same rules would fire regardless of whether the initial access came through CVE-2026-33017, CVE-2025-3248, or any other RCE in an application.” Sysdig also shared a list of indicators of compromise (IOCs), including attacker source IPs, C2 and staging infrastructure detected, Dropper URLs, and interactsh callback domains. It recommends immediately upgrading to patched versions, restricting exposure, and monitoring for anomalous activity, emphasizing that exposed instances should be treated as potentially compromised. VulnerabilitiesSecurityZero-Day Vulnerabilities SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe

Facts Only

Actor: Attackers
Event: Exploited a critical RCE in Langflow
Timeline: Within hours of disclosure
Location: Multiple cloud providers and regions
Impact: Unauthenticated Remote Code Execution on affected systems
Vulnerability: CVE-2026-33017
Affected Version(s): Langflow versions up to 1.8.2 (excluding)
Fixed Version: v1.9.0
Rating: Critical CVSS rating of 9.3 out of 10

Executive Summary

A critical Remote Code Execution (RCE) vulnerability has been identified and exploited within hours in the open-source AI-pipeline tool, Langflow. This flaw allows unauthenticated attackers to execute arbitrary code on vulnerable systems. The CISA has added this vulnerability, tracked as CVE-2026-33017, to its Known Exploited Vulnerabilities (KEV) catalog and urged federal agencies to patch their systems by April 8, 2026. The exploitation activity was observed within a day of the vulnerability becoming public, demonstrating threat actors' quick operationalization of new vulnerabilities. With patch windows collapsing significantly, runtime detection remains the primary option for mitigation.

Full Take

The exploitation of the Langflow RCE vulnerability underscores the need for timely patching and robust security measures, especially in open-source software. This incident demonstrates the potential for rapid exploitation following disclosure, emphasizing the importance of proactive defense strategies. The CISA's addition of the vulnerability to its KEV catalog highlights its severity and the potential for widespread attack.
Patterns detected: ARC-0043 Motte-and-Bailey (the advisory contained enough detail for attackers to construct a working exploit without additional research)
The rapid operationalization of new vulnerabilities by threat actors raises concerns about the speed at which vulnerabilities can be weaponized and the potential for widespread damage. The use of runtime detection as the primary mitigation strategy implies that patching windows are collapsing, making it increasingly challenging to address security issues promptly.
Questions for further inquiry: What strategies could be employed to reduce the time between disclosure and patching? How can the security community better collaborate to prevent rapid exploitation of vulnerabilities? What other measures can be taken to enhance the security posture of open-source software?