A critical Langflow flaw, identified as CVE-2026-33017, is actively being exploited within just 20 hours of its public disclosure. This rapid weaponization highlights the increasing speed at which threat actors are leveraging newly revealed vulnerabilities, particularly within the burgeoning field of artificial intelligence platforms.
The security defect carries a CVSS score of 9.3 and represents a severe case of missing authentication combined with code injection, leaving systems vulnerable to remote code execution. The flaw specifically affects the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint.
Critical Langflow Vulnerability Under Active Exploitation
According to Langflow’s official advisory, this critical endpoint permits the construction of public flows without any authentication requirements. When an optional data parameter is supplied, the endpoint improperly utilizes attacker-controlled flow data, which can contain arbitrary Python code within node definitions. This malicious code is then executed by the `exec()` function without any sandboxing, paving the way for unauthenticated remote code execution.
This vulnerability impacts all versions of the open-source AI platform up to and including version 1.8.1. While a fix is available in the development version 1.9.0.dev8, many instances remain exposed.
Security researcher Aviral Srivastava, who discovered and reported the flaw on February 26, 2026, emphasized that CVE-2026-33017 is distinct from another critical Langflow bug, CVE-2025-3248 (CVSS score: 9.8). The latter also involved arbitrary Python code execution without authentication via the /api/v1/validate/code endpoint and is already under active exploitation, as confirmed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Srivastava detailed that CVE-2026-33017 stems from the same fundamental issue: the use of an un-sandboxed `exec()` call at the conclusion of the processing chain for the affected endpoint. He explained that the endpoint is designed for public access, making the addition of an authentication requirement problematic without breaking the core functionality of public flows. The recommended solution involves entirely removing the data parameter from this public endpoint, ensuring that public flows can only execute their pre-stored server-side data and cannot accept user-supplied definitions.
The successful exploitation of CVE-2026-33017 could grant an attacker the ability to execute arbitrary code with the full privileges of the server process through a single HTTP request. This level of access allows for a range of malicious activities, including the exfiltration of environment variables, unauthorized modification or deletion of files, installation of backdoors, and even the establishment of a reverse shell.
Srivastava further described the exploitation process for CVE-2026-33017 as “extremely easy,” citing the use of a weaponized curl command. A single HTTP POST request containing malicious Python code within a JSON payload is sufficient to achieve immediate remote code execution.
Accelerating Exploitation Trends in Cybersecurity
Cloud security firm Sysdig reported observing the initial exploitation attempts in the wild within approximately 20 hours of the advisory’s publication on March 17, 2026. Notably, these attacks occurred even before any public proof-of-concept (PoC) code was available. Attackers reportedly constructed working exploits directly from the advisory’s description and immediately began scanning the internet for vulnerable Langflow instances.
Sysdig indicated that early exploitation efforts resulted in the exfiltration of sensitive information, including keys and credentials. This access could potentially lead to the compromise of connected databases and the software supply chain. Subsequent threat actor activity has evolved from automated scanning to custom Python scripts designed to extract data from files such as “/etc/passwd” and deliver payloads hosted on external servers.
The observed activities suggest a well-prepared threat actor. Sysdig noted that this behavior indicates attackers with a prepared exploitation toolkit moving from vulnerability validation to payload deployment within a single operational session. The identity of the threat actors behind these attacks remains unknown.
The rapid exploitation of CVE-2026-33017 aligns with a concerning trend of shrinking time-to-exploit (TTE). Median TTE has dramatically decreased from 771 days in 2018 to mere hours in 2024. Rapid7’s 2026 Global Threat Landscape Report highlights that the median time from vulnerability publication to its inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog has fallen to five days, down from 8.5 days in the previous year.
“This timeline compression poses serious challenges for defenders,” the report states. “The median time for organizations to deploy patches is approximately 20 days, meaning defenders are exposed and vulnerable for far too long.” The report underscores that threat actors are actively monitoring the same information sources as defenders and are developing exploits faster than most organizations can assess, test, and implement patches. This necessitates a fundamental reconsideration of vulnerability management programs to align with current realities.
Users are strongly advised to update to the latest patched version of Langflow as a matter of urgency. Additionally, security best practices include auditing environment variables and secrets on any publicly exposed Langflow instances, rotating keys and database passwords as a precautionary measure, monitoring for unusual outbound network connections, and restricting network access to Langflow instances through firewall rules or a reverse proxy with authentication.
The exploitation of both CVE-2025-3248 and CVE-2026-33017 underscores a growing trend of AI workloads becoming primary targets for attackers. This is due to the sensitive data they handle, their integration within critical software supply chains, and often insufficient security safeguards.
Sysdig concluded, “CVE-2026-33017 demonstrates a pattern that is becoming the norm rather than the exception: critical vulnerabilities in popular open-source tools are weaponized within hours of disclosure, often before public PoC code is even available.” The ongoing exploitation of these flaws suggests that organizations must prioritize rapid vulnerability patching and robust security monitoring to mitigate risks in the evolving threat landscape.