Critical Langflow RCE vulnerability exploited within 20 hours

A critical Langflow vulnerability that could enable unauthenticated remote code execution (RCE) was exploited within 20 hours of disclosure, Sysdig reported Thursday.

Sysdig captured exploitation attempts for the flaw tracked as CVE-2026-33017 in its honeypots on March 18, 2026, a day after the vulnerability was disclosed.

The first exploitation attempt occurred within 20 hours, while the first attack to successfully exfiltrate sensitive data was seen shortly before the 25-hour mark.

Langflow is a popular open-source framework for building agentic AI workflows, with more than 145,000 stars on GitHub. The vulnerability lies in the “POST /api/v1/build_public_tmp/[flow_id]/flow” endpoint, which is meant to allow for the building of public flows without authentication.

An attacker could send a crafted HTTP request to this endpoint containing arbitrary Python code in node definitions, which would be executed server-side without sandboxing, according to the GitHub security advisory for CVE-2026-33017. Langflow assigned the flaw a CVSS score of 9.3.

Related reading:

“Attackers are using Langflow as a pivot into connected AI pipelines, harvesting the API keys and database credentials that agentic workflows require to function, which means the downstream blast radius (poisoned pipelines, compromised tool-calls, corrupted retrieval stores) could dwarf the initial RCE,” Ram Varadarajan, CEO at Acalvio, told SC Media in an email.

Sysdig first observed automated scanning activity on its CVE-2026-33017 honeypots on March 18 at 16:04 UTC, noting four IP addresses sending identical payloads within minutes of one another. This suggests one attacker using proxies or virtual private server (VPS) nodes to cycle through IP addresses rather than distinct attackers.

This attacker deployed a payload that executes id, encodes the output in base64 and sends it to an interactsh callback server, likely probing for RCE-vulnerable instances.

Sysdig noted several indicators that the attacker used the open-source nuclei vulnerability scanner, including the use of the word “nuclei” in requests and the use of several user-agent strings corresponding with nuclei’s random user-agent wordlist.  

Exploit attempts using custom Python payloads to perform deeper reconnaissance began to appear around the 21-hour mark, including attempts to list directories and credentials files (ex. /etc/passwd), perform system fingerprinting and attempt secondary payload delivery from pre-staged infrastructure.

“This is not ad-hoc testing. This is an attacker with a prepared exploitation toolkit moving from vulnerability validation to payload deployment in a single session,” the Sysdig researchers wrote.

Sysdig ultimately observed advanced attack activity from a single IP address that dumped environment variables, located database and configuration files and exfiltrated the contents of .env files to steal sensitive data such as credentials and API keys.

This attacker was found to exfiltrate the data to the same command-and-control (C2) server as the attacker that had previously performed reconnaissance, suggesting a single operator or attackers using shared infrastructure.

SC Media asked Sysdig whether it was possible the activity originated from security researchers rather than malicious actors.

"The Sysdig Threat Research Team (TRT) is confident that the activity described in our findings originated from threat actors rather than security researchers. In particular, the observed downloading of additional payloads is a strong indicator of malicious intent and is not consistent with typical research behavior," said Sysdig Senior Director of Threat Research Michael Clark.

The researchers noted that the short timeframe from disclosure to exploitation aligns with findings from the Zero Day Clock project, which found that by 2023, 44% of exploited vulnerabilities saw their first exploitation activity within 24 hours of disclosure.

CVE-2026-33017 was fixed in version 1.9.0 and users are urged to update immediately.

Beyond timely patching of vulnerabilities, Sysdig recommends the use of behavior-based runtime detection solutions that recognize exploitation patterns outside of specific CVE signatures.

“This is exactly the threat model where deception infrastructure earns its keep: a honeytoken seeded into a Langflow environment’s credential store would have surfaced the intrusion silently, before any lateral movement, with zero dependence on knowing the attack vector in advance,” added Varadarajan.

Langflow previously patched another critical unauthenticated RCE vulnerability tracked as CVE-2025-3248, which enabled RCE via a crafted HTTP request to the /api/v1/validate/code endpoint. This flaw was fixed in version 1.3.0 in April 2025.