Threat actors started exploiting a critical Langflow vulnerability roughly 20 hours after public disclosure, Sysdig reports.
Langflow is a popular open source framework for creating and deploying AI agents and workflows using a visual builder interface, with over 145,000 GitHub stars and more than 8,000 forks.
On March 17, Langflow version 1.8.1 was released with patches for a critical vulnerability leading to unauthenticated remote code execution (RCE).
Tracked as CVE-2026-33017 (CVSS score of 9.3), the issue impacts a POST endpoint that allows developers to create public flows without requiring authentication.
Because of the bug, when the optional ‘data’ parameter is supplied, the endpoint uses flow data that an attacker can supply in node definitions in the form of Python code, instead of the flow data stored in the database.
The code is executed without sandboxing, leading to RCE without authentication. According to Sysdig, a single HTTP request is required to trigger the bug, and threat actors started exploiting it hours after public disclosure.
“This is notable because no public PoC repository existed on GitHub at the time of the first attack. The advisory itself contained enough detail (the vulnerable endpoint path and the mechanism for code injection via flow node definitions) for attackers to construct a working exploit without additional research,” Sysdig says.
Threat actors have been exploiting CVE-2026-33017 to steal keys and credentials required to access connected databases, potentially setting up for supply chain attacks.
Within 48 hours of the vulnerability being publicly disclosed, Sysdig observed exploitation attempts coming from six unique source IPs.
During the initial phase of exploitation, mass scans were observed coming from four IPs, delivering the same payload, likely using an automated scanning tool.
The second phase involved a different IP address and moved to active reconnaissance, employing pre-staged infrastructure to deploy payloads after validation.
Data exfiltration, Sysdig says, was observed during the third phase, which was sourced from a different IP address. The custom scripts deployed during the second and third phases were seen sending data to the same command-and-control (C&C) server.
“This overlap likely indicates a single operator working through multiple proxies or VPS nodes, though it could also reflect a shared exploitation toolkit,” Sysdig says.
Related: Critical ScreenConnect Vulnerability Exposes Machine Keys
Related: Russian APT Exploits Zimbra Vulnerability Against Ukraine
Related: CISA Warns of Attacks Exploiting Recent SharePoint Vulnerability
