Critical Langflow AI bug exploited within 20 hours added to CISA list

The Cybersecurity and Infrastructure Security Agency (CISA) on March 25 added a critical Langflow framework bug for building AI agents that attackers are now exploiting to its Known Exploited Vulnerabilities (KEV) catalog.

Sysdig originally reported on March 19 that the bug — CVE-2026-33017 — was exploited within 20 hours of disclosure. The Sysdig researchers said they captured exploitation attempts for the flaw in its honeypots the day before on March 18.

This news has security pros concerned that the timeframe between public disclosure will continue to shrink in the AI era — and some say it most certainly will.

“We are now in the AI era,” said Agnidipta Sarkar, chief evangelist at ColorTokens. “The old mental model of patching within 30 days — maybe 15 for critical vulnerabilities — is probably over. So, unless you have digitally hidden your critical infrastructure, you are staring at an exposure. Traditionally, CISA’s KEV catalog, which I deeply respect as a prioritization force, gives federal agencies until April 8. This should serve as a public signal to every organization running Langflow that this is not a theoretical risk.”

Julian Brownlow Davies, senior vice president of offensive security strategy and operations at Bugcrowd, said that while 24 hours from advisory to active exploitation is significant, what’s really alarming is that no public proof-of-concept existed and the attackers reverse-engineered a working exploit directly from the advisory itself.

“That tells us the barrier to weaponization has dropped to the point where disclosure and exploitation are converging into a single event,” said Davies. “Organizations relying on patch cycles measured in weeks are structurally exposed.”

Davies said while the industry has largely solved the detection problem, in that we can identify vulnerabilities at extraordinary speed and scale. What we haven't solved, said Davies, is comprehension: understanding which of those findings represent genuine, validated, exploitable risk to the assets that actually matter.

“When the exploitation window compresses to 24 hours, that distinction becomes existential,” said Davies. “You cannot patch everything simultaneously, so the question becomes: which vulnerabilities have real-world exploitability against your crown jewels, right now?”

Sarkar of ColorTokens added that AI will almost certainly shrink the timeframe between disclosure and exploitation.

“The entire premise of patch-and-scan security — detect, analyze, prioritize, test, deploy — assumes you have time,” said Sarkar. “AI is systematically collapsing that assumption. For something like Langflow, which sits at the heart of AI agent infrastructure, the irony is almost painful: AI frameworks are being exploited by AI-accelerated attackers. In a world where AI compresses exploitation timelines toward near-zero, the security controls that matter most are the ones that function even after the attacker is already inside. That's where the conversation needs to go.” 

Jason Soroko, a senior fellow at Sectigo, added that the exploitation of  CVE-2026-33017 within 20 hours of disclosure reflects how aggressively threat actors now target AI infrastructure. Soroko said Langflow, an open-source framework for building AI agents and workflows with over 145,000 GitHub stars, became the vector.

“The mechanics are straightforward and damning,” said Soroko. “An optional data parameter in the affected endpoint lets attackers inject arbitrary Python code into node definitions rather than legitimate flow data. That code executes with no sandboxing. Attackers have already used this to harvest credentials and database keys connected to AI pipelines, and the speed of deployment suggests coordination, not opportunism. Supply chain exposure is the logical next step.​​​​​​​​​​​​​​​​”