How Attackers Compromised Langflow AI Pipelines in 20 Hours
Summary:
On March 17, 2026, a critical unauthenticated remote code execution (RCE) vulnerability was disclosed in Langflow, the widely-used open-source visual framework for building AI agents and RAG pipelines, tracked as CVE-2026-33017. The flaw exists in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, which accepts attacker-supplied flow data containing arbitrary Python code in node definitions and executes it server-side without sandboxing, requiring no credentials and only a single HTTP request to exploit.
Within approximately 20 hours of the advisory's publication, the Sysdig Threat Research Team observed the first exploitation attempts in the wild, with attackers constructing working exploits directly from the advisory text despite no public proof-of-concept code being available. Active exploitation progressed through three phases: automated scanning via privately authored Nuclei templates, custom Python-based exploit scripts conducting hands-on reconnaissance, and targeted credential harvesting operations that dumped environment variables, located configuration files, and extracted application secrets, including API keys and database connection strings.
Security Officer Comments:
The attack surface for CVE-2026-33017 is substantial. Langflow has over 145,000 GitHub stars and is frequently deployed by data science and engineering teams who may not follow the same patching cadence as production infrastructure. The high-value nature of Langflow deployments makes them especially attractive targets, as instances are routinely configured with API keys for providers such as OpenAI, Anthropic, and AWS, as well as database connections, meaning a single successful compromise can enable lateral movement into cloud accounts and downstream data stores, with meaningful software supply chain implications.
Observed attacker activity included environment variable exfiltration, targeted reads of .env files containing application secrets, and stage-two payload delivery attempts from pre-staged attacker infrastructure, indicating these were not opportunistic scans but prepared exploitation campaigns.
This vulnerability is distinct from the prior Langflow RCE, CVE-2025-3248, which was added to CISA's Known Exploited Vulnerabilities catalog in May 2025; CVE-2026-33017 has not yet been added to the KEV catalog despite confirmed active exploitation in the wild.
Suggested Corrections:
Organizations should update Langflow immediately; if a patched version is not yet available, network access to the /api/v1/build_public_tmp endpoint should be restricted or public flow building disabled entirely.
https://www.sysdig.com/blog/cve-202...compromised-langflow-ai-pipelines-in-20-hours
On March 17, 2026, a critical unauthenticated remote code execution (RCE) vulnerability was disclosed in Langflow, the widely-used open-source visual framework for building AI agents and RAG pipelines, tracked as CVE-2026-33017. The flaw exists in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, which accepts attacker-supplied flow data containing arbitrary Python code in node definitions and executes it server-side without sandboxing, requiring no credentials and only a single HTTP request to exploit.
Within approximately 20 hours of the advisory's publication, the Sysdig Threat Research Team observed the first exploitation attempts in the wild, with attackers constructing working exploits directly from the advisory text despite no public proof-of-concept code being available. Active exploitation progressed through three phases: automated scanning via privately authored Nuclei templates, custom Python-based exploit scripts conducting hands-on reconnaissance, and targeted credential harvesting operations that dumped environment variables, located configuration files, and extracted application secrets, including API keys and database connection strings.
Security Officer Comments:
The attack surface for CVE-2026-33017 is substantial. Langflow has over 145,000 GitHub stars and is frequently deployed by data science and engineering teams who may not follow the same patching cadence as production infrastructure. The high-value nature of Langflow deployments makes them especially attractive targets, as instances are routinely configured with API keys for providers such as OpenAI, Anthropic, and AWS, as well as database connections, meaning a single successful compromise can enable lateral movement into cloud accounts and downstream data stores, with meaningful software supply chain implications.
Observed attacker activity included environment variable exfiltration, targeted reads of .env files containing application secrets, and stage-two payload delivery attempts from pre-staged attacker infrastructure, indicating these were not opportunistic scans but prepared exploitation campaigns.
This vulnerability is distinct from the prior Langflow RCE, CVE-2025-3248, which was added to CISA's Known Exploited Vulnerabilities catalog in May 2025; CVE-2026-33017 has not yet been added to the KEV catalog despite confirmed active exploitation in the wild.
Suggested Corrections:
Organizations should update Langflow immediately; if a patched version is not yet available, network access to the /api/v1/build_public_tmp endpoint should be restricted or public flow building disabled entirely.
- Any publicly exposed Langflow instance should be treated as potentially compromised, API keys, database passwords, and cloud credentials should be rotated as a precautionary measure, and environment variables and secrets should be audited.
- Langflow should not be directly exposed to the internet without an authentication layer; firewall rules or a reverse proxy with authentication should be used to restrict access.
- Defenders should monitor for outbound connections to known callback services such as oastify[.]com and interact[.]sh, as well as unexpected outbound traffic to unusual ports, which are indicators of active exploitation and exfiltration.
- More broadly, organizations should inventory AI/ML workflow tooling, platforms like Langflow, n8n, and similar tools are increasingly targeted precisely because they carry broad API access and are frequently deployed outside standard security review processes.
https://www.sysdig.com/blog/cve-202...compromised-langflow-ai-pipelines-in-20-hours