Find notable cyber news and cases, enriched with sources, timelines, and signals.

Langflow CVE-2026-33017 exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 50
3 unique sources, 3 articles

Summary

Hide ▲

CVE-2026-33017 in Langflow is being exploited in a wider exploitation wave that now includes Monero miner delivery against exposed AI application endpoints. The activity uses an unauthenticated RCE to run attacker-supplied Python, pull a shell script, drop lambsys and XMRig, kill competing miners, disable defenses, and persist through cron and SSH. The campaign was observed over 19 days from March 27 to April 15, 2026, showing continued abuse of exposed Langflow instances for initial access and cryptojacking.

Cases

Related Happenings

Lambsys custom XMRig miner activity on SSH-reachable hosts

Malware Activity
H score34 First: 30.06.2026 18:47 Last: 30.06.2026 18:47 Sources 1

How related: Subsequently, it downloads the binary on the machine using curl or wget, launches it as a detached process, and spreads itself to every SSH-reachable host the victim can authenticate to.

About this happening: The **lambsys** malware is now being used to deploy a **custom XMRig miner** and spread to **SSH-reachable hosts**, turning compromised systems into persistent cryptomining infras...

Palo Alto Networks GlobalProtect log search guidance for CVE-2026-0257

Advisory/Mitigation
H score35 First: 15.06.2026 09:17 Last: 15.06.2026 09:17 Sources 1

About this happening: Palo Alto Networks is urging **GlobalProtect** customers to search logs for **successful gateway-connected events** tied to **CVE-2026-0257**, a step that can expose possible unau...

Langflow security patch release for CVE-2026-5027

Security Patch Release
H score38 First: 11.06.2026 00:23 Last: 11.06.2026 00:23 Sources 1

About this happening: **Langflow** shipped fixes for **CVE-2026-5027**, closing a **path traversal** flaw that let attackers write arbitrary files on exposed servers. The patch landed in **langflow-bas...

Langflow path traversal flaw (CVE-2026-5027)

Vulnerability
H score33 First: 10.06.2026 18:00 Last: 10.06.2026 18:00 Sources 1

About this happening: **Langflow**'s **CVE-2026-5027** is an **unpatched path traversal** vulnerability that is being **actively exploited** in the wild. The flaw lets an attacker write files to arbitr...

AI-driven worm reasons at runtime and self-replicates across a 33-host test network

Technical Analysis
H score40 First: 09.06.2026 14:59 Last: 09.06.2026 14:59 Sources 1

About this happening: Researchers demonstrated a **proof-of-concept AI-driven worm** that reasons at runtime and self-replicates, showing adaptive host-to-host spread across a **33-host** vulnerable te...

Timeline

  1. 20.03.2026 12:20 1 articles · 3mo ago

    March 17 advisory discloses CVE-2026-33017 in Langflow

    Initial Disclosure

    A March 17 advisory disclosed CVE-2026-33017 in Langflow, an unauthenticated remote code execution flaw with CVSS 9.3 that lets attackers execute arbitrary Python code on exposed instances with a single HTTP request and no credentials.

    Show sources
  2. 20.03.2026 12:20 4 articles · 3mo ago

    Observed exploit activity against exposed Langflow instances

    Exploitation Observed

    Sysdig reported on March 20 that honeypots saw threat actors build working exploits directly from the advisory description, scan exposed Langflow instances from four source IPs using the same payload, and use custom Python exploit scripts delivered via a stage-2 dropper to harvest databases, API keys, cloud credentials, and configuration files.

    Show sources