Find notable cyber news and cases, enriched with sources, timelines, and signals.
Vulnerability Exploitation Wave

Langflow unauthenticated RCE exploitation and secret theft

Updated 30.06.2026 18:47
Case score 64
Case score 64 Members 2 Latest activity 30.06.2026 18:47
Active exploitation Patch available CVSS: 9.8 Critical
Members 2 First seen 20.03.2026 12:20 Last seen 20.03.2026 17:15 Updated 30.06.2026 18:47

Overview

**CVE-2026-33017** in **Langflow** lets a remote attacker execute attacker-controlled Python code on exposed instances without authentication. Exploitation appeared within 20 hours of disclosure and quickly moved from scanning to custom scripts that targeted files, environment data, and secrets. The activity included credential theft, database and configuration access, and callback traffic to **173.212.205[.]251:8443**. CISA added the flaw to **KEV** with a remediation date of **2026-04-08**, so exposed Langflow deployments should be patched and checked for compromise immediately.

Signals

4 derived
Impact signals
Exploitation
Exploitation Active exploitation CVSS 9.8 Critical
CVEs/products
CVE
Remediation
Remediation Patch available

Malware context

7 families · 1 tools
Tools
curl

Member happenings

2 related
Vulnerability Langflow missing-authentication code-injection flaw (CVE-2026-33017)
Updated 20.03.2026 17:15 Lead Contribution 61
Exploitation Active Exploitation Exploit No Known Public Exploit CVSS 9.8 Critical Patch Patch Available

**Langflow**'s **CVE-2026-33017** is being **actively exploited** to deliver a **Monero miner** through exposed **AI application endpoints**. The campaign uses **unauthenticated RCE** to run attacker-supplied Python, pull a shell script, drop **lambsys** and **XMRig**, kill competing miner processes, disable host defenses, and persist through cron and SSH reuse. Activity was observed over **19 days** from **March 27 to April 15, 2026**, showing continued abuse of the same flaw in fresh cryptomining attacks.

Exploitation Wave Langflow CVE-2026-33017 exploitation wave
Updated 20.03.2026 12:20 Scoring Support Contribution 3
Exploitation Active Exploitation CVSS 9.8 Critical

**CVE-2026-33017** in **Langflow** is being exploited in a **wider exploitation wave** that now includes **Monero miner** delivery against **exposed AI application endpoints**. The activity uses an **unauthenticated RCE** to run attacker-supplied Python, pull a shell script, drop **lambsys** and **XMRig**, kill competing miners, disable defenses, and persist through **cron** and **SSH**. The campaign was observed over **19 days** from **March 27 to April 15, 2026**, showing continued abuse of exposed Langflow instances for initial access and cryptojacking.