Critical Langflow CVE-2026-33017 Exploit Hits Within 20 Hours – Patch Now

A critical flaw in Langflow is already being used in real attacks less than 20 hours after the bug was made public, according to cloud security firm Sysdig. The issue, tracked as CVE-2026-33017 with a CVSS score of 9.3, affects all versions of the open source AI platform up to and including 1.8.1, and it can lead to remote code execution on a vulnerable server.

How the Flaw Works

Langflow said the problem affects the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, which is meant to build public flows without authentication.

In its advisory, the company said that when the optional data parameter is supplied, the endpoint can use attacker controlled flow data instead of the stored server side data. That matters because the malicious data can contain arbitrary Python code inside node definitions, and the application passes it to exec() with no sandboxing.

In practical terms, that means an attacker can send one HTTP request and run code with the same privileges as the Langflow process. Security researcher Aviral Srivastava, who reported the issue on February 26, 2026, told The Hacker News that exploitation is “extremely easy” and can be triggered with a weaponized curl command. He also said the flaw is separate from CVE-2025-3248, another critical Langflow bug that abused the /api/v1/validate/code endpoint for unauthenticated code execution.

Srivastava explained that the root cause is the same dangerous use of exec() at the end of the processing chain. He said the endpoint cannot simply require authentication because it is designed to serve public flows. “The real fix is removing the data parameter from the public endpoint entirely,” he said, so public flows only execute their stored server side data and never accept attacker supplied definitions.

What Sysdig Observed

Sysdig said the first exploitation attempts appeared in the wild on March 17, 2026, within 20 hours of the advisory going live.

The company noted that no public proof of concept code existed at the time, which means attackers appear to have built working exploits directly from the advisory itself and then began scanning the internet for exposed systems.

According to Sysdig, the observed activity was not limited to simple validation checks. The company said attackers moved from automated scanning to custom Python scripts that tried to read /etc/passwd and deliver a second stage payload from 173.212.205[.]251:8443.

Sysdig also said related activity pointed to credential harvesting, including collection of environment variables, configuration files, database information, and the contents of .env files. The company said exfiltrated secrets could expose connected databases and even create supply chain risk if those credentials are reused elsewhere.

The speed of this campaign fits a broader pattern that security teams have been warning about for years. Rapid7 said in its 2026 Global Threat Landscape Report that the median time from vulnerability disclosure to inclusion in CISA’s Known Exploited Vulnerabilities catalog dropped from 8.5 days to five days over the past year. Rapid7 also said the typical organization still takes about 20 days to deploy patches, which leaves defenders exposed far longer than attackers need to weaponize a new flaw.

What Langflow Users Should Do

For Langflow users, the immediate advice is to update to a patched version as soon as possible and to treat any public instance as potentially exposed.

Security teams should rotate keys and database passwords, review environment variables and secrets, check for unusual outbound connections, and restrict access with firewall rules or a reverse proxy with authentication. Sysdig said the campaign shows that attackers are moving quickly from vulnerability discovery to payload delivery, often before public exploit code is even available.

The attacks against CVE-2025-3248 and CVE-2026-33017 also highlight a larger problem for AI software, according to Sysdig. AI platforms often sit close to valuable data, connect to other business systems, and rely on complex automation features that can be dangerous when authentication or input handling is weak. In this case, a single missing safeguard turned a public feature into a path to remote code execution.