The Cybersecurity and Infrastructure Security Agency (CISA) is alerting the public that a critical vulnerability, designated CVE-2026-33017, is currently being exploited by hackers within the Langflow framework, which is utilized for developing AI agents.
This vulnerability has attained a critical rating of 9.3 out of 10 and can facilitate remote code execution. This capability permits malicious actors to create public flows without requiring any form of authentication.
CISA has classified this issue under its list of Known Exploited Vulnerabilities, characterizing it as a code injection vulnerability.
Timeline of Exploitation
According to findings from Endor Labs, a prominent application security firm, the exploitation of CVE-2026-33017 commenced on March 19—approximately 20 hours following the release of the vulnerability advisory. At the time of its disclosure, no public proof-of-concept (PoC) exploit code existed. Endor Labs suspects that attackers developed their exploitation techniques directly from details presented in the advisory.
- Automated scanning activity was observed within 20 hours.
- Exploitation via Python scripts occurred within 21 hours.
- Data harvesting from files (.env and .db) took place within 24 hours.
About Langflow
Langflow is a widely recognized open-source visual framework designed for the development of AI workflows, garnering 145,000 stars on GitHub. It features a user-friendly drag-and-drop interface that allows users to connect nodes into actionable pipelines, coupled with a REST API for programmatic execution. Its extensive adoption within the AI development community renders it an appealing target for cybercriminals.
Previous Warnings
In May 2025, CISA issued an earlier alert regarding active exploitation within Langflow, focusing on CVE-2025-3248, a critical vulnerability associated with an API endpoint that allows unauthenticated remote code execution, potentially granting complete control of the server.
The newly identified flaw, CVE-2026-33017, empowers attackers to execute arbitrary Python code and affects Langflow versions 1.8.1 and earlier. It can be exploited through a singular crafted HTTP request due to the absence of sandboxing in flow execution.
While CISA has not indicated that ransomware actors are exploiting this latest flaw, it has mandated that federal agencies apply the requisite security updates or implement mitigations by April 8, or refrain from usage of the product.
Recommendations
System administrators are encouraged to upgrade to Langflow version 1.9.0 or later to rectify this security vulnerability or to disable and restrict access to the affected endpoint. Additionally, Endor Labs recommends the following measures:
- Avoid exposing Langflow directly to the internet.
- Monitor outbound traffic closely.
- Rotate API keys, database credentials, and cloud secrets upon detection of suspicious activity.
Although CISA's deadline formally pertains to organizations adhering to Binding Operational Directive (BOD) 22-01, it is advisable for private sector entities, state and local governments, and other organizations to regard it as a pertinent standard and take appropriate action.
Share this story