AI SecurityAgentic AI

Twenty Hours

Langflow got popped again. CVE-2026-33017 was weaponized in twenty hours, attackers harvested AI credentials, and it is the third critical RCE in twelve months. The agentic AI ecosystem has a structural security problem.

TL;DR

A critical unauthenticated RCE in Langflow was weaponized within twenty hours of disclosure – no proof-of-concept needed. Attackers harvested API keys for OpenAI, Anthropic, and AWS from compromised instances. This is the third critical RCE in Langflow in twelve months, and it points to a structural problem the entire agentic AI ecosystem needs to face: orchestration platforms that hold the keys to everything are being built like prototypes.

The facts

On March 17, 2026, a security advisory dropped for Langflow, the open source visual builder for AI agents and RAG pipelines. The vulnerability – CVE-2026-33017, CVSS 9.3 – allowed anyone on the internet to execute arbitrary Python code on a Langflow server. No credentials. No session tokens. One HTTP POST request.

Twenty hours later, attackers were already in.

Sysdig’s threat research team had honeypots deployed across multiple cloud providers. They watched it happen in real time. The first wave was automated scanning with privately authored Nuclei templates, identifiable by a cookie header that literally read client_id=nuclei-scanner. Within hours, a second wave arrived – custom Python scripts doing directory enumeration, system fingerprinting, and attempting to drop stage-two payloads from pre-staged infrastructure. By the thirty-hour mark, attackers were dumping full environment variables, pulling .env files, and exfiltrating database connection strings alongside API keys for OpenAI, Anthropic, and AWS.

No public proof-of-concept existed on GitHub when the first attacks hit. The advisory itself – the endpoint path, the injection mechanism – was enough. Attackers read the same disclosure that defenders did and moved faster.

Why Langflow matters more than you think

Langflow is not some niche developer toy. It has over 145,000 GitHub stars. DataStax acquired the project in April 2024, and IBM subsequently acquired DataStax, folding Langflow into the watsonx AI portfolio. This is a platform that enterprises are actively weaving into production AI stacks.

But the real issue is what Langflow holds. An orchestration platform sits at the center of an organization’s AI infrastructure. It connects to LLM providers, vector databases, cloud storage, external APIs – and it stores the credentials for all of them. Compromising one Langflow instance does not just give you a shell on a server. It gives you the keys to every downstream system that server was configured to talk to.

That makes this a supply chain event, not a host compromise. The attackers who hit those honeypots were not interested in the servers themselves. They went straight for the environment variables. They knew what Langflow holds, and they knew where to find it.

Three strikes in twelve months

Here is the part that should make security leaders uncomfortable. CVE-2026-33017 is not an isolated bug. It is a pattern.

In May 2025, CISA added CVE-2025-3248 (CVSS 9.8) to the Known Exploited Vulnerabilities catalog. Trend Micro Research documented what happened next: attackers used publicly available proof-of-concept code to scan for exposed Langflow servers, ran reconnaissance commands to dump environment variables and cloud credentials, then delivered the Flodrix botnet – a DDoS payload that could also exfiltrate sensitive data from compromised hosts. The playbook was almost identical to what Sysdig would later observe with CVE-2026-33017: find the server, harvest the credentials, deploy the payload. That vulnerability hit the /api/v1/validate/code endpoint – same underlying problem, different door. The fix at the time added authentication checks to that specific endpoint. It did not address the fact that Langflow passes user-supplied code directly to Python’s exec() with no sandboxing.

Then came CVE-2025-34291 (CVSS 9.4), a critical account takeover and RCE chain that could be triggered by getting a user to visit a malicious webpage.

CVE-2026-33017 exploits yet another unauthenticated endpoint – /api/v1/build_public_tmp/{flow_id}/flow – that was designed to let anonymous users build public flows. The endpoint accepted attacker-controlled flow data containing arbitrary Python code, which got passed straight to exec(). Same pattern. Different entry point.

The patch in Langflow 1.9.0 removes the ability for that endpoint to accept external flow data entirely. Good. But the architectural question remains: how many other paths to unsandboxed code execution exist in a platform where running arbitrary Python is a core feature?

The twenty-hour window problem

The speed of exploitation here is the headline, but it is also the wrong thing to fixate on. Twenty hours is fast, but it is not unusual anymore.

The Zero Day Clock project, which tracks time-to-exploit across 83,000+ CVEs, reports that the median time-to-exploit has collapsed from 771 days in 2018 to hours in 2024. By 2023, 44% of exploited vulnerabilities were weaponized within 24 hours of disclosure. The median time for organizations to deploy patches sits around 20 days.

Read those numbers again. Attackers need hours. Defenders need weeks. The gap is not closing – it is widening. And traditional patch management was designed for a world where you had days or weeks of runway, not a world where someone builds a private Nuclei template before your security team finishes reading the advisory.

Sysdig made the obvious but correct point: runtime detection is the only thing that works on day zero. Their monitoring caught every attacker in this campaign because they all followed the same post-exploitation playbook – shell command via os.popen(), exfiltration over HTTP. The detection rules did not require a signature for CVE-2026-33017 specifically. They detected the behavior, not the vulnerability. That distinction matters. The same rules would have fired for CVE-2025-3248 or any other RCE that lands a shell.

What this actually means for security leaders

Langflow is one platform. The risk class is much bigger.

The agentic AI ecosystem is full of orchestration tools – n8n, Flowise, Dify, CrewAI, AutoGen – that occupy the same architectural position. They all sit between AI models and downstream infrastructure. They all store credentials. They all execute user-defined logic as a core feature. And most of them are open source projects shipping features at startup speed, not security-hardened enterprise middleware. Trend Micro Research tracked the Flodrix campaign through CVE-2025-3248; Sysdig caught the credential harvesting through CVE-2026-33017. Two different research teams, two different CVEs, same attack pattern, same target class. That should tell you something about where threat actors are focusing.

If you are deploying any of these platforms, three things need to happen immediately.

First, treat your AI orchestration layer as critical infrastructure. It deserves the same security posture as your CI/CD pipeline or your secrets management system – because it is effectively both, combined into a drag-and-drop interface.

Second, stop exposing these tools to the internet. Langflow’s vulnerable endpoint was public by design. “Public flows” is a feature. The attack surface was intentional. If your orchestration platform has a publicly accessible API that can accept and execute arbitrary payloads, you have already lost the argument about whether to put it behind a VPN.

Third, assume your patch window is zero. Runtime detection, network segmentation, and credential rotation are not nice-to-haves. They are the only thing standing between you and a supply chain compromise that unfolds before your team finishes their morning coffee.

CISA added CVE-2026-33017 to the KEV catalog on March 25, 2026, with a remediation deadline of April 8. If you are reading this and have not patched yet, the deadline is not April 8. The deadline was twenty hours after March 17.

The bigger picture

There is something almost elegant about the Langflow saga. A platform designed to make AI accessible – visual, low-code, open source – turns out to be accessible to everyone, including people with Nuclei templates and pre-staged command-and-control infrastructure.

The AI industry is building orchestration layers faster than it is securing them. New frameworks appear weekly. Each one promises to simplify the complex work of connecting models to tools, data, and actions. Each one, by definition, becomes a credential aggregator and a code execution engine. And the security model for most of them is whatever the developers remembered to bolt on before the next feature shipped.

Three critical RCEs in twelve months from a single platform should be a wake-up call. Not just for Langflow users – the 1.9.0 patch exists, go install it – but for anyone building or deploying agentic AI infrastructure. The tools that connect your AI to everything else are the tools that attackers will target first. And right now, most of those tools are not ready for that attention.

The twenty-hour window was not an anomaly. It was a preview.

Sources

  • Sysdig Threat Research Team, “CVE-2026-33017: How attackers compromised Langflow AI pipelines in 20 hours,” sysdig.com, March 2026
  • Cloud Security Alliance, “Langflow RCE CVE-2026-33017: Exploited Within 20 Hours,” labs.cloudsecurityalliance.org, March 2026
  • Cloud Security Alliance, “Langflow CVE-2026-33017: Unauthenticated RCE in AI Orchestration,” labs.cloudsecurityalliance.org, March 2026
  • CISA, “CISA Adds One Known Exploited Vulnerability to Catalog,” cisa.gov, March 25, 2026
  • CSO Online, “Attackers exploit critical Langflow RCE within hours as CISA sounds alarm,” csoonline.com, March 2026
  • NVD, “CVE-2026-33017,” nvd.nist.gov
  • Trend Micro, “Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited,” trendmicro.com, 2025
  • Obsidian Security, “CVE-2025-34291: Critical Account Takeover and RCE Vulnerability in Langflow,” obsidiansecurity.com, 2025
  • GitHub Security Advisory GHSA-vwmf-pq79-vjvx, github.com
← All posts