CISA Warns Hackers Exploit Langflow AI Flaw
▼ Summary
– CISA warns that hackers are actively exploiting a critical remote code execution vulnerability (CVE-2026-33017) in the Langflow AI framework.
– The vulnerability, with a 9.3 severity score, is a code injection flaw that allows unauthenticated attackers to execute arbitrary Python code via a crafted HTTP request.
– Exploitation began rapidly, with automated scanning starting roughly 20 hours after the public vulnerability advisory was released.
– CISA has given federal agencies a deadline to apply updates or mitigations, and recommends all organizations upgrade to Langflow version 1.9.0 or later.
– Security advice includes not exposing Langflow directly to the internet and rotating credentials if suspicious activity is detected.
A critical security flaw in a widely used AI development framework is now under active attack. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding CVE-2026-33017, a severe vulnerability in the Langflow platform that enables remote code execution. This flaw, which carries a critical severity rating of 9.3 out of 10, allows attackers to inject and run arbitrary code without any authentication, posing a significant risk to organizations using the tool.
Researchers from Sysdig report that malicious exploitation began on March 19, a mere 20 hours after the vulnerability’s public disclosure. Notably, there was no available proof-of-concept exploit code at that time, indicating that threat actors likely crafted their attacks directly from the technical details in the security advisory. The timeline of the attack was rapid and methodical. Automated scanning for vulnerable systems commenced within 20 hours, followed by active exploitation using Python scripts an hour later. Within 24 hours, attackers were harvesting sensitive data, including critical .env and .db files from compromised servers.
Langflow is a prominent open-source visual framework for constructing AI agents and workflows, boasting over 145,000 stars on GitHub. Its drag-and-drop interface for building executable pipelines and its supporting REST API have led to widespread adoption across the AI development community, making it a high-value target for cybercriminals. This is not the first time the platform has been in the crosshairs. In May 2025, CISA warned of active attacks exploiting a different critical flaw, CVE-2025-3248, which also permitted unauthenticated remote code execution.
The newly exploited vulnerability impacts Langflow versions 1.8.1 and earlier. The root cause is unsandboxed flow execution, which lets an attacker trigger arbitrary Python code through a single, specially crafted HTTP request. While CISA has not attributed this activity to ransomware actors, the potential for complete server compromise is clear. The agency has added the flaw to its Known Exploited Vulnerabilities catalog and has mandated that all federal civilian executive branch agencies apply patches or other mitigations by April 8.
For all organizations using Langflow, immediate action is required. System administrators must upgrade to version 1.9.0 or later to resolve the security issue. If an immediate upgrade is not possible, the recommended action is to disable or strictly restrict access to the vulnerable endpoint. Broader security best practices are also critical. Sysdig advises administrators to avoid exposing Langflow instances directly to the internet, to diligently monitor outbound network traffic, and to proactively rotate all API keys and database credentials if any suspicious activity is detected.
Although the April 8 deadline formally applies to federal agencies under Binding Operational Directive 22-01, CISA strongly recommends that private sector companies, along with state and local governments, treat this date as a crucial benchmark for their own remediation efforts. The speed of this attack campaign underscores the importance of prompt patching for critical vulnerabilities in essential development tools.
(Source: BleepingComputer)
