Vulnerability
Exploitation Wave
Langflow unauthenticated RCE exploitation and secret theft
Updated 26.03.2026 21:17
Case score 64
Score breakdown
- Total
- 64
- Lead score
- 61
- Support bonus
- +3 / 20
- Scoring support
- 1
- Context members
- 0
Top contributors
- Vulnerability Critical unauthenticated code-injection flaw in Langflow with rapid post-disclosure abuse risk. base
- Exploitation Wave Early exploitation activity confirms the flaw moved into active abuse and drove the case beyond disclosure alone. support
Case score 64
Members 2
Latest activity 26.03.2026 21:17
Active exploitation
Patch available
CVSS: 9.8 Critical
Active exploitation
Patch available
CVSS: 9.8 Critical
Members 2
First seen 20.03.2026 12:20
Last seen 20.03.2026 17:15
Updated 26.03.2026 21:17
Overview
**CVE-2026-33017** in **Langflow** lets a remote attacker execute attacker-controlled Python code on exposed instances without authentication. Exploitation appeared within 20 hours of disclosure and quickly moved from scanning to custom scripts that targeted files, environment data, and secrets.
The activity included credential theft, database and configuration access, and callback traffic to **173.212.205[.]251:8443**. CISA added the flaw to **KEV** with a remediation date of **2026-04-08**, so exposed Langflow deployments should be patched and checked for compromise immediately.
Attackers are exploiting **CVE-2026-33017** in **Langflow**, a flaw that lets a remote user run attacker-controlled Python code on exposed instances without authentication. The weakness combines missing authentication with code injection in the public build endpoint, and affected versions run through **1.8.1** with **1.9.0.dev8** identified as the addressed build. Exploitation began within 20 hours of public disclosure, and available evidence indicates attackers could build working exploits directly from the advisory description. Early activity moved from scanning to custom Python scripts that targeted files and environment data such as **/etc/passwd** and **.env**.
Automated requests from four source IPs using the same payload point to a shared wave against exposed Langflow deployments. Follow-on activity included theft of keys, credentials, databases, cloud credentials, and configuration files, plus callback traffic to **173.212.205[.]251:8443**. CISA added **CVE-2026-33017** to the Known Exploited Vulnerabilities catalog with a required action date of **2026-04-08**, and the addressed build is **1.9.0.dev8**. Available evidence does not quantify how many servers were hit, but exposed Langflow instances remain at immediate risk if they are still unpatched or reachable from the internet.