Full Report
The Cybersecurity and Infrastructure Security Agency (CISA) is warning that hackers are actively exploiting a critical vulnerability identified as CVE-2026-33017, which affects the Langflow framework for building AI agents. [...]
Analysis Summary
# Vulnerability: Langflow Code Injection and Remote Code Execution
## CVE Details
- **CVE ID:** CVE-2026-33017
- **CVSS Score:** 9.3 (Critical)
- **CWE:** CWE-94 (Code Injection)
## Affected Systems
- **Products:** Langflow (Open-source visual framework for AI workflows)
- **Versions:** 1.8.1 and earlier
- **Configurations:** Systems where Langflow is exposed to the network/internet without sufficient authentication or sandboxing.
## Vulnerability Description
CVE-2026-33017 is a critical code injection vulnerability arising from unsandboxed flow execution within the Langflow framework. The flaw allows an attacker to execute arbitrary Python code on the host server. Because the framework enables the building of executable AI pipelines via a REST API, a lack of input validation or execution isolation allows for remote code execution (RCE) via a single crafted HTTP request.
## Exploitation
- **Status:** **Exploited in the wild.** According to Endor Labs, automated scanning began within 20 hours of disclosure, with active exploitation (data harvesting) occurring within 24 hours.
- **Complexity:** Low (Attackers built exploits directly from advisory details; no initial PoC was required).
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Attackers have been observed harvesting `.env` and `.db` files, including API keys and credentials).
- **Integrity:** High (Arbitrary Python code execution allows for the modification of AI workflows and system files).
- **Availability:** High (Potential for full server takeover or service disruption).
## Remediation
### Patches
- **Upgrade to Langflow version 1.9.0 or later**, which addresses the unsandboxed execution flaw.
### Workarounds
- Disable or restrict access to the vulnerable API endpoints.
- Ensure Langflow instances are not directly exposed to the internet (place behind a VPN or firewall).
- Rotate all secrets, including API keys, database credentials, and cloud tokens, if an instance was exposed.
## Detection
- **Indicators of Compromise:**
- Unauthorized access or creation of public flows.
- Presence of suspicious Python scripts or outbound traffic to unknown IPs.
- Evidence of access to `.env` or `.db` files in server logs.
- **Detection methods and tools:**
- Monitor for specific unexpected HTTP requests targeting flow execution endpoints.
- Log and audit all administrative actions within the Langflow UI and API.
## References
- CISA Known Exploited Vulnerabilities Catalog: hxxp[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- NVD Detail: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-33017
- Analyst Report: hxxp[://]www[.]sysdig[.]com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours
- Project Repository: hxxps[://]github[.]com/langflow-ai/langflow