Critical Langflow flaw was exploited within 20 hours, exposing AI pipelines to unauthenticated RCE

A critical Langflow security flaw is already under active attack, and defenders had very little time to react. Langflow says CVE-2026-33017 allows unauthenticated remote code execution through its public flow build endpoint, while Sysdig says it saw the first real-world exploitation attempts roughly 20 hours after the advisory went live.

The bug affects Langflow versions 1.8.1 and earlier. Langflow’s GitHub advisory says the issue is fixed in version 1.9.0, and the root cause is severe: attacker-controlled flow data can reach an exec() call with no sandboxing.

That makes this more than another open-source bug disclosure. A single HTTP POST request can be enough to run arbitrary Python code on an exposed Langflow server, giving attackers a path to secrets, files, databases, and follow-on payload delivery. Sysdig says that is exactly what early attackers started testing within hours.

What CVE-2026-33017 does

Langflow says the vulnerable endpoint is POST /api/v1/build_public_tmp/{flow_id}/flow. The endpoint is meant to work without authentication for public flows, but when the optional data parameter is supplied, the server uses attacker-supplied flow definitions instead of stored server-side data. That malicious data can include arbitrary Python code in node definitions, which the backend then executes.

Security researcher Aviral Srivastava, who reported the flaw, said the real fix is not simply adding authentication. The endpoint exists to serve public flows, so the safer fix is to stop accepting attacker-supplied data there at all.

Why this flaw is so dangerous

This is a classic high-impact combination of missing authentication and code injection. Since the endpoint is public by design, attackers do not need stolen credentials, prior access, or user interaction. Langflow’s advisory classifies the issue as critical, and the sample article you shared also centers on that unauthenticated RCE risk.

Once code execution lands, the blast radius can grow fast. Sysdig says attackers in the wild moved from simple validation to harvesting environment variables, reading system files, and attempting second-stage payload delivery from attacker-controlled infrastructure.

Key facts at a glance

Item	Details
CVE	CVE-2026-33017
Severity	Critical
Affected versions	Langflow 1.8.1 and earlier
Fixed version	1.9.0
Vulnerable endpoint	/api/v1/build_public_tmp/{flow_id}/flow
Attack requirement	No authentication
Main impact	Remote code execution

Source: Langflow advisory and Sysdig research.

Exploitation started almost immediately

Sysdig says no public proof-of-concept code was available when attackers began hitting vulnerable systems. Even so, the advisory itself exposed enough detail for threat actors to build working exploits directly from the published description.

According to Sysdig’s timeline, Langflow published the advisory on March 16, 2026, and the first exploitation attempt reached its honeypots on March 17, 2026, about 20 hours later. That speed matters because it shows attackers do not need a public exploit repo anymore when an advisory already contains the endpoint, bug class, and likely execution path.

Sysdig says the earliest activity included automated scanning, followed by more targeted reconnaissance. Later attackers tried to read /etc/passwd, identify the running user, and fetch a follow-on payload from an external host.

This was not Langflow’s first serious RCE issue

Langflow’s advisory and Sysdig both distinguish CVE-2026-33017 from CVE-2025-3248, another critical Langflow bug that involved unauthenticated code execution through a different endpoint. CISA’s KEV catalog includes CVE-2025-3248, which underlines Langflow’s recent exposure to high-risk attack chains.

That history makes the new bug more troubling. When a project already has a recent pattern of severe RCE issues, attackers pay closer attention to each new disclosure, especially when the product sits inside AI workflows with access to credentials, APIs, vector databases, and sensitive prompts. This is an inference based on the product’s role and the published exploitation details.

Why AI infrastructure is becoming a bigger target

Langflow is not just another web app. It often sits near valuable data, model connections, API keys, and workflow automations. Sysdig says attackers who exploited CVE-2026-33017 exfiltrated keys and credentials, which could open paths to connected databases and possible software supply chain abuse.

That aligns with a broader shift in vulnerability response. Rapid7 says the median time from vulnerability publication to inclusion in CISA’s Known Exploited Vulnerabilities catalog fell from 8.5 days to 5.0 days over the past year, while exploitation timelines continue to collapse.

What attackers were observed doing

• Scanning for exposed Langflow instances
• Sending validation payloads to confirm code execution
• Reading environment variables and local files
• Attempting follow-on payload delivery
• Harvesting credentials for deeper access

These behaviors come from Sysdig’s honeypot observations.

What Langflow users should do now

Anyone running Langflow 1.8.1 or older should treat this as urgent. Upgrade to Langflow 1.9.0 or later as soon as possible. Langflow’s advisory says patched versions remove the unsafe path that allowed attacker-supplied flow data to reach server-side execution.

Users should also assume exposed instances may already have been probed. Sysdig recommends auditing environment variables and secrets on public-facing Langflow deployments, rotating keys and database passwords, monitoring for unusual outbound traffic, and restricting network access with firewalls or a reverse proxy that enforces authentication.

Immediate response steps

• Upgrade Langflow to 1.9.0 or later
• Rotate exposed API keys, tokens, and database passwords
• Review logs for suspicious POST requests to the vulnerable endpoint
• Check for unusual outbound connections and downloaded payloads
• Restrict public access to Langflow wherever possible

FAQ