PT-2026-25992 · Langflow Ai+1 · Langflow
Aviral2642
·
Published
2026-03-17
·
Updated
2026-03-23
·
CVE-2026-33017
CVSS v4.0
9.3
Critical
| AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
CVE-2026-33017: Langflow RCE — 20 Hours from Advisory to Exploitation
If you're running Langflow exposed to the internet, patch now.
Here's what happened:
Langflow (145K GitHub stars) has an unauthenticated RCE in the public flow build endpoint. One POST request. No credentials needed.
Timeline:
- March 17: Advisory published on GitHub
- March 18 (20 hrs later): First exploitation attempts detected
What attackers did:
- Nuclei scanner hit within hours (no public PoC existed)
- Custom Python scripts proxied through VPS nodes
- env dump to steal API keys, cloud creds, DB connections
- Stage-2 droppers pre-staged and ready
The targets weren't random. Langflow instances have access to OpenAI, Anthropic, AWS, databases. High-value.
C2 infrastructure observed:
143.110.183.86:8080
173.212.205.251:8443
If you run Langflow:
- Patch to 1.8.0+ NOW
- Audit environment variables
- Rotate every credential that touched it
- Check for outbound connections to https://t.co/00H8HYWrlv, https://t.co/q6o9i9Kd9W, https://t.co/KWJ4bmQW4F
The window between disclosure and exploitation is now measured in hours. Not days. Hours.
#CVE #Langflow #infosec #cybersecurity #RCE #threatintel
Exploit
Fix
RCE
Eval Injection
Code Injection
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Langflow