CISA Warns of Active Langflow RCE, Trivy Supply Chain Attacks

A critical code injection flaw in a popular AI framework and a significant supply chain attack on a widely used security scanner have been added to the US government’s high-priority vulnerability list. The Cybersecurity and Infrastructure Security Agency (CISA) has mandated that federal civilian agencies patch these issues, designated CVE-2026-33017 in Langflow and CVE-2026-33634 in Aqua Security’s Trivy, by early April. This action underscores the immediate risk these actively exploited vulnerabilities pose to organizational security.

The Langflow vulnerability, tracked as CVE-2026-33017, is a critical remote code execution flaw affecting versions 1.8.2 and earlier. It enables unauthenticated attackers to execute arbitrary code on a Langflow instance by targeting a public flow build endpoint. The speed of weaponization following its disclosure is alarming. A detailed advisory was published on GitHub on March 17, 2026. According to cloud security firm Sysdig, exploitation attempts began within a mere 20 hours, before any public proof-of-concept code existed.

Attackers crafted working exploits directly from the advisory’s technical details and initiated internet-wide scans for vulnerable systems. Successful compromises led to the theft of keys and credentials, granting access to connected databases and creating potential for further software supply chain compromise. This rapid timeline demonstrates a fundamental shift in the threat landscape. The window between vulnerability disclosure and active exploitation has collapsed from months to hours, rendering traditional scheduled patch cycles dangerously inadequate. Security experts emphasize that runtime detection and rapid response capabilities are now essential to defend against such swift attacks.

Notably, researcher Aviral Srivastava discovered this flaw while analyzing how developers patched a previous Langflow vulnerability, CVE-2025-3248. This allowed him to identify the same class of security weakness in a different endpoint, suggesting that threat actors may also use similar analytical techniques to find and exploit fresh flaws.

Simultaneously, the cybersecurity community is grappling with the fallout from CVE-2026-33634, an identifier for the widespread Trivy supply chain attack attributed to a group called TeamPCP. The compromise, which occurred on March 19, 2026, involved several malicious actions. Attackers published a fraudulent Trivy v0.69.4 release, force-pushed version tags in related GitHub repositories to point to credential-stealing malware, and replaced all tags in another repository with malicious commits. They also distributed compromised Trivy container images on Docker Hub.

This incident appears to have directly enabled a subsequent attack on LiteLLM, leading to tainted packages being uploaded to the Python Package Index (PyPI). Given that LiteLLM is present in over a third of cloud environments monitored by Wiz researchers, the potential for widespread impact is significant. BerriAI, LiteLLM’s creator, has halted new releases and engaged Mandiant for a full security review. Aqua Security has provided remediation guidance for Trivy users and promises further updates on its investigation.

While the German Federal Office for Information Security (BSI) reported several compromises linked to the Trivy attack, initial assessments indicate that no data exfiltration occurred. Both vulnerabilities highlight the escalating pace of modern cyber threats and the critical need for organizations to move beyond reactive patching toward proactive, continuous security monitoring.