A critical security flaw in Langflow, an open-source AI agent development platform, is under active exploitation by threat actors, according to security researchers and the U.S. Cybersecurity and Infrastructure Security Agency.
The vulnerability, tracked as CVE-2026-33017 with a CVSS score of 9.3, stems from missing authentication combined with code injection in Langflow's API endpoints. Attackers can achieve unauthenticated remote code execution by sending a single HTTP request containing malicious Python code.
Technical Details
The flaw affects the /api/v1/build_public_tmp/{flow_id}/flow endpoint, which is intentionally unauthenticated to serve public flows. However, when the optional data parameter is supplied, the endpoint uses attacker-controlled flow data containing arbitrary Python code instead of stored flow data from the database. This code is passed directly to Python's exec() function with no sandboxing.
Security researcher Aviral Srivastava, who discovered and reported the vulnerability on February 26, 2026, explained that the root cause involves the same exec() call used in a previous Langflow vulnerability, CVE-2025-3248.
The vulnerability affects all versions of Langflow prior to and including version 1.8.1. The issue has been addressed in development version 1.9.0.dev8.
Impact on AI Development
Cloud security firm Sysdig observed the first exploitation attempts within 20 hours of the vulnerability advisory's publication on March 17, 2026. At the time of initial exploitation, no public proof-of-concept code existed. Attackers built working exploits directly from the advisory description and began scanning the internet for vulnerable instances.
Exfiltrated information included API keys and credentials, which provided attackers access to connected databases and potential software supply chain compromise. Threat actors were also observed moving from automated scanning to leveraging custom Python scripts to extract data from /etc/passwd and deliver unspecified next-stage payloads.
The attack activity suggests planning on the part of the threat actor, staging malware delivery once a vulnerable target is identified. Researchers noted this represents "an attacker with a prepared exploitation toolkit moving from vulnerability validation to payload deployment in a single session."
Broader Security Context
The 20-hour window between advisory publication and first exploitation aligns with an accelerating trend that has seen the median time-to-exploit shrink dramatically. According to Rapid7's 2026 Global Threat Landscape Report, the median time from vulnerability publication to inclusion in CISA's Known Exploited Vulnerabilities catalog dropped from 8.5 days to five days over the past year.
The Langflow vulnerability underscores how AI workloads are increasingly landing in attackers' crosshairs, owing to their access to valuable data, integration within the software supply chain, and insufficient security safeguards.
Organizations face a significant challenge: the median time for deploying patches is approximately 20 days, meaning defenders remain exposed and vulnerable for an extended period while threat actors operate at machine speed.
Mitigation Strategies
Users are advised to update to the latest patched version as soon as possible. Organizations should audit environment variables and secrets on any publicly exposed Langflow instance, rotate keys and database passwords as a precautionary measure, and monitor for outbound connections to unusual callback services.
Network access to Langflow instances should be restricted using firewall rules or a reverse proxy with authentication enabled. The complete removal of the data parameter from the public endpoint ensures public flows can only execute their stored server-side flow data and never accept attacker-supplied definitions.
On March 25, 2026, CISA added CVE-2026-33017 to its Known Exploited Vulnerabilities catalog, requiring Federal Civilian Executive Branch agencies to apply fixes by April 8, 2026.
