Attackers have exploited a critical Langflow RCE within hours of disclosure, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to formally flag it for urgent remediation.
The flaw, which allows running arbitrary code on vulnerable Langflow instances without >credentials, was weaponized within 20 hours of the open-source AI-pipeline tool disclosing it.
According to a Sysdig report, crooks started hitting a fleet of honeypot nodes with vulnerable instances across multiple cloud providers and regions right after they went live. Sysdig observed four such attempts within hours of deployment, with one attacker progressing to environment variable exfiltration.
“This is notable because no public POC repository existed on GitHub at the time of the first attack,” Sysdig researchers said. “The advisory itself contained enough detail (the vulnerable endpoint path and the mechanism for code injection via flow node definitions) for attackers to construct a working exploit without additional research.”
CISA has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch their systems by April 8, 2026.
A default setting allows code injection
The vulnerability, tracked as CVE-2026-33017, stems from an exposed API endpoint in Langflow, the open-source visual framework for building AI agents and Retrieval-Augmented Generation (RAG) pipelines.
The exposure allows attackers to submit malicious workflow data containing embedded Python code. Instead of using trusted data, the application executes this attacker-supplied code without any sandboxing, leading to unauthenticated remote code execution on affected systems, according to an NVD description.
“The build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code,” the description added. “This is distinct from CVE-2025-3248, which fixed /api/v1/validate/code by adding authentication.”
The Code Injection flaw affects Langflow versions up to (excluding) 1.8.2, and has been fixed in v1.9.0. It received a critical CVSS rating of 9.3 out of 10, owing to its “unauthenticated” and simple exploitability, massive AI attack surface, and high impact.
Pace of exploit raises concerns
Exploitation activity was observed less than a day after the vulnerability became public, which, Sysdig noted, demonstrates threat actors quickly operationalizing new vulnerabilities (probably through automation).
Attackers could build a working exploit just from the advisory description and quickly start scanning for flawed instances. “Exfiltrated information included keys and credentials, which provided access to connected databases and potential software supply chain compromise,” Sysdig researchers said.
With patch windows collapsing significantly, runtime detection remains a primary and the only option, Sysdig noted. “Every attacker in this campaign followed the same post-exploitation playbook: execute a shell command via Python’s os.popen(), then exfiltrate the output over HTTP,” it said, adding that runtime rules can detect these attempts.
The way runtime detection can help is by working on “day zero,” the researchers explained. “These rules do not require a signature for CVE-2026-33017 specifically because they detect the exploitation behavior, not the vulnerability. The same rules would fire regardless of whether the initial access came through CVE-2026-33017, CVE-2025-3248, or any other RCE in an application.”
Sysdig also shared a list of indicators of compromise (IOCs), including attacker source IPs, C2 and staging infrastructure detected, Dropper URLs, and interactsh callback domains. It recommends immediately upgrading to patched versions, restricting exposure, and monitoring for anomalous activity, emphasizing that exposed instances should be treated as potentially compromised.