Langflow RCE flaw exploited within 20 hours of disclosure, no PoC needed

A critical unauthenticated remote code execution vulnerability in Langflow, the open-source AI workflow platform, is being actively exploited in the wild. CVE-2026-33017 carries a CVSS score of 9.3. If you run Langflow and it's exposed to the internet, stop reading and start patching. Here's the situation.

Who is affected

Every Langflow instance running version 1.8.1 or earlier with at least one public flow. That covers most production deployments, since public flows are how Langflow-powered chatbots work: users visit a URL, chat with a bot, and the flow executes server-side without authentication. When AUTO_LOGIN is set to true (the default configuration), even the public flow prerequisite disappears because an attacker can create one themselves.

Langflow has over 145,000 GitHub stars and is widely used for building AI agents and RAG pipelines. The blast radius here is real but bounded: organizations running Langflow behind a firewall or VPN with no public exposure are not directly vulnerable. If your instance is internet-facing, assume compromise until you can verify otherwise.

What happened

Security researcher Aviral Srivastava discovered the flaw on February 26, 2026 and reported it to Langflow. The advisory (GHSA-vwmf-pq79-vjvx) was published on GitHub on March 17, 2026 at 20:05 UTC.

Twenty hours later, Sysdig's Threat Research Team recorded the first exploitation attempts. No public proof-of-concept existed. Attackers reverse-engineered working exploits directly from the advisory text, which described the vulnerable endpoint and injection mechanism in enough detail to build a payload.

The vulnerability sits in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint. This endpoint is designed to let unauthenticated users build public flows. It accepts an optional data parameter. When that parameter is supplied, the server uses attacker-controlled flow data containing arbitrary Python code in node definitions instead of the stored flow from the database. That code gets passed to Python's exec() with zero sandboxing. One HTTP POST request with malicious Python in the JSON payload achieves immediate RCE with full server-process privileges.

Srivastava described exploitation as "extremely easy," noting it can be triggered with a single curl command.

Timeline of events

• Feb 26, 2026: Aviral Srivastava discovers and reports CVE-2026-33017 to Langflow
• Mar 17, 2026, 20:05 UTC: Advisory GHSA-vwmf-pq79-vjvx published on GitHub
• Mar 18, 2026, 16:04 UTC: First exploitation attempt observed by Sysdig (20 hours post-disclosure)
• Mar 18, 2026, 16:05-16:39 UTC: Multiple scanning IPs begin probing with identical payloads
• Mar 18, 2026, 20:55 UTC: Attackers escalate to environment variable exfiltration and credential harvesting

How the attacks played out

Sysdig deployed honeypot Langflow instances across multiple cloud providers and observed a three-phase attack pattern over 48 hours, involving six unique source IPs.

The first wave was automated scanning using Nuclei with a privately authored template (no official CVE-2026-33017 template existed in the public nuclei-templates repository). Four IPs arrived within minutes of each other, all sending identical payloads that executed the id command, base64-encoded the output, and exfiltrated it to an interactsh callback server. The requests identified themselves with Cookie: client_id=nuclei-scanner headers.

The second wave used custom Python scripts. One attacker (IP 83.98.164.238) progressed through a methodical kill chain: directory listing, credential file enumeration, system fingerprinting, then a stage-2 delivery attempt pulling from a pre-staged server at 173.212.205.251:8443. According to Sysdig, "This is an attacker with a prepared exploitation toolkit moving from vulnerability validation to payload deployment in a single session."

The third phase was data harvesting. The most advanced operator dumped environment variables (which in typical Langflow deployments contain database connection strings, API keys, and cloud credentials), enumerated configuration files and databases, and extracted .env file contents. Sysdig reported that exfiltrated information included keys and credentials providing access to connected databases and potential software supply chain compromise.

This is not the same bug as last time

Langflow has been here before. CVE-2025-3248 (CVSS 9.8) was an earlier unauthenticated RCE in the /api/v1/validate/code endpoint that CISA added to its Known Exploited Vulnerabilities catalog in May 2025. That bug had a simple fix: add an authentication requirement to the endpoint.

CVE-2026-33017 is a harder problem. The vulnerable endpoint is supposed to be unauthenticated because it serves public flows. As Srivastava explained: "You can't just add an auth requirement without breaking the entire public flows feature. The real fix is removing the data parameter from the public endpoint entirely, so public flows can only execute their stored (server-side) flow data and never accept attacker-supplied definitions."

Both vulnerabilities trace back to the same unsandboxed exec() call in validate.py. The root cause was not fully addressed the first time.

What to do right now

1. Patch immediately. The fix is in development version 1.9.0.dev8 (PR #12160). No stable release with the fix exists yet, which is a problem. If you cannot run the dev build, proceed to step 2.

2. Block or restrict access. Put Langflow behind a reverse proxy with authentication, or restrict network access to trusted IPs using firewall rules. Do not leave Langflow exposed to the public internet.

3. Audit and rotate credentials. On any publicly exposed Langflow instance, assume environment variables and stored credentials have been compromised. Rotate API keys, database passwords, and cloud credentials. Check .env files for sensitive values.

4. Monitor for indicators. Look for outbound connections to interactsh callback domains (*.oast.*) and the IP 173.212.205.251. Check for unexpected reads of /etc/passwd, environment variable dumps, or file enumeration commands in server logs.

5. Disable AUTO_LOGIN. If it's enabled (the default), an attacker can bootstrap the entire attack chain without any prerequisites.

The bigger picture

The 20-hour exploitation window is fast but not surprising. According to Rapid7's 2026 Global Threat Landscape Report, the median time from vulnerability publication to inclusion in CISA's KEV catalog dropped from 8.5 days to five days over the past year. Meanwhile, the median time for organizations to deploy patches sits at approximately 20 days. The math is not in defenders' favor.

CVE-2026-33017 has not been added to CISA's KEV despite confirmed active exploitation. That should change soon.

As Sysdig concluded: "Critical vulnerabilities in popular open-source tools are weaponized within hours of disclosure, often before public PoC code is even available." AI platforms like Langflow sit at a particularly high-value intersection, with access to credentials, databases, and software supply chains that make them attractive targets.

The lack of a stable patched release as of this writing is worth noting. A dev build is not a production patch. Langflow's maintainers need to ship a stable fix.

Omar Rashid covers cybersecurity and technology for The Daily Vibe.