Hackers Exploit Langflow Flaw to Steal AWS Keys and Build NATS-Based Botnet

Attackers are exploiting CVE-2026-33017, a critical Langflow remote code execution vulnerability, to steal cloud credentials and deploy a worker tied to a NATS-based command-and-control system.

The campaign targets exposed Langflow instances, abuses a public flow build endpoint, dumps sensitive environment variables, and then uses stolen AWS keys for cloud reconnaissance and possible LLMjacking through AWS Bedrock.

The activity shows how quickly exposed AI workflow tools can become a direct path into cloud accounts. Langflow is often connected to databases, model providers, cloud services, and API keys, which makes a compromised instance especially valuable to attackers.

What happened

Sysdig researchers observed a threat actor abusing CVE-2026-33017 during an extended exploitation attempt involving a Langflow target. The attacker used the vulnerability to execute commands without authentication and extract AWS credentials from the process environment.

The stolen keys were then tested with AWS STS GetCallerIdentity, a common way to confirm whether credentials are active. After that, the attacker used the same credentials to query several AWS services, including S3, EC2, Lambda, CloudWatch Logs, IAM, SageMaker, and Bedrock.

The Bedrock activity matters because it suggests the attacker wanted to use the victim’s cloud account to access foundation models without paying. This type of abuse is often called LLMjacking, where stolen cloud or AI service keys are used to run expensive AI workloads.

How CVE-2026-33017 works

CVE-2026-33017 affects the Langflow public flow build endpoint. The endpoint is meant to let public flows run without authentication, but vulnerable versions accepted attacker-controlled flow data through the optional data parameter.

That attacker-supplied flow data could include arbitrary Python code inside node definitions. Langflow then passed the code to exec() without sandboxing, which gave remote attackers a way to run code on exposed instances.

GitHub’s advisory lists Langflow versions up to and including 1.8.2 as affected. The advisory lists version 1.9.0 and later as patched.

Item	Details
Vulnerability	CVE-2026-33017
Product	Langflow
Issue type	Unauthenticated remote code execution through code injection
Affected versions	Langflow 1.8.2 and earlier
Patched versions	Langflow 1.9.0 and later
CISA KEV status	Added on March 25, 2026

Attackers used NATS as command and control

The most unusual part of the campaign is the attacker’s use of NATS as command-and-control infrastructure. NATS is a legitimate messaging system used by distributed applications, but in this case, the attacker used it to coordinate malicious workers.

Sysdig said the attacker downloaded both a Python worker and a Go binary from a staging server. The tooling appeared under the KeyHunter name and supported tasks such as scanning websites, scanning cloud development environments, validating AWS keys, and validating AI API keys.

The worker connected to a NATS server at 45.192.109.25:14222 and used task subjects linked to credential harvesting. This setup lets the operator distribute tasks, receive structured results, and manage multiple workers in a scalable way.

Why this campaign is dangerous

The campaign is dangerous because it combines three high-value targets: exposed AI workflow apps, cloud credentials, and AI service keys. A single vulnerable Langflow instance can expose far more than the host itself.

If AWS keys, OpenAI keys, Anthropic keys, Hugging Face keys, or database credentials sit in environment variables, the attacker may use the Langflow compromise as a starting point for broader cloud abuse.

The NATS worker also shows that the attacker was not only testing the vulnerability. The tooling was designed to turn compromised systems into a broader credential-harvesting pool.

• Attackers can run commands without authentication on vulnerable exposed Langflow instances.
• Environment variables may expose cloud keys, database secrets, and AI provider tokens.
• Validated AWS keys can reveal account identity, cloud resources, logging data, and AI service access.
• NATS gives the attacker a scalable way to assign tasks and collect results from workers.
• Compromised AI workflow tools can create both security and cloud cost risks.

Indicators of compromise

Sysdig published network indicators and file hashes tied to the activity. Security teams should treat these as hunting leads and combine them with process, network, and cloud audit logs.

Type	Indicator	Description
IP and port	45.192.109.25:14222	NATS command-and-control server
IP and port	159.89.205.184:8888	HTTP staging server used to host worker files
SHA-256	dbee863ad2a39f939be2c7ed76f7d5a8fe000aad2d2b2d32b3e8ec3ee42f1c25	worker-linux-amd64 Go binary
SHA-256	323bbf3064d4b83df7920d752636b1acb36f462e58609a815bd8084d1e6b004c	keyhunter_worker.py Python worker
SHA-256	16b279aa018c64294d58280636e538f86e3dd9bdcb5734c203373394b72d101a	deploy.sh installer script

What defenders should do now

Organizations running Langflow should first confirm whether any instance is exposed to the internet. Public access raises the risk sharply because CVE-2026-33017 does not require authentication.

Teams should update Langflow to a patched version, restrict access to trusted networks, and review any public flows. If an exposed instance ran a vulnerable version, security teams should assume secrets may have been accessed.

Credential rotation matters as much as patching. Attackers targeted AWS keys in this campaign, but Langflow environments may also contain tokens for AI providers, databases, code tools, and internal services.

1. Upgrade Langflow to a patched version.
2. Remove direct internet exposure where possible.
3. Place Langflow behind authentication, a VPN, or a trusted reverse proxy.
4. Rotate AWS, OpenAI, Anthropic, Hugging Face, database, and service tokens reachable from Langflow.
5. Search logs for suspicious requests to the public flow build endpoint.
6. Review AWS CloudTrail for STS, S3, EC2, IAM, Lambda, Logs, SageMaker, and Bedrock activity from unusual sources.
7. Block known attacker infrastructure where it appears in logs or network telemetry.
8. Restrict outbound traffic from AI tooling to only required model, database, and API endpoints.

The bigger risk for AI workflow tools

Langflow is not the only AI workflow tool that can hold valuable secrets. Many visual AI builders, automation platforms, and agent frameworks connect directly to cloud accounts, vector databases, model APIs, and internal business data.

That makes these tools attractive to attackers. They often sit outside traditional production security programs, but they can hold production-grade credentials.

The lesson from this campaign is clear: AI workflow tools need the same hardening as other internet-facing business systems. Teams should patch them quickly, remove unnecessary exposure, control outbound access, and keep secrets out of environment variables whenever possible.

FAQ