Find notable cyber news and cases, enriched with sources, timelines, and signals.

Langflow missing-authentication code-injection flaw (CVE-2026-33017)

Vulnerability
First reported
Last updated
Happening score
H score 55
2 unique sources, 3 articles

Summary

Hide ▲

Langflow's CVE-2026-33017 is being actively exploited to deliver a Monero miner through exposed AI application endpoints. The campaign uses unauthenticated RCE to run attacker-supplied Python, pull a shell script, drop lambsys and XMRig, kill competing miner processes, disable host defenses, and persist through cron and SSH reuse. Activity was observed over 19 days from March 27 to April 15, 2026, showing continued abuse of the same flaw in fresh cryptomining attacks.

Cases

Related Happenings

Langflow path traversal flaw (CVE-2026-5027)

Vulnerability
H score33 First: 10.06.2026 18:00 Last: 10.06.2026 18:00 Sources 1

About this happening: **Langflow**'s **CVE-2026-5027** is an **unpatched path traversal** vulnerability that is being **actively exploited** in the wild. The flaw lets an attacker write files to arbitr...

CISA KEV remediation deadline for Langflow

Public Sector Action
H score36 First: 26.03.2026 21:17 Last: 26.03.2026 21:17 Sources 1

How related: CISA did not mark the flaw as exploited by ransomware actors, but gave federal agencies until April 8 to apply the security updates or mitigations, or stop using the product.

About this happening: CISA added **CVE-2026-33017** to the **Known Exploited Vulnerabilities** list and ordered **federal agencies** to patch, mitigate, or stop using **Langflow** by **April 8, 2026**....

Langflow CVE-2026-33017 exploitation wave

Exploitation Wave
H score50 First: 20.03.2026 12:20 Last: 20.03.2026 12:20 Sources 1

How related: Researchers at application security company Endor Labs claim that hackers started exploiting CVE-2026-33017 on March 19, about 20 hours after the vulnerability advisory became public.

About this happening: **CVE-2026-33017** in **Langflow** is being exploited in a **wider exploitation wave** that now includes **Monero miner** delivery against **exposed AI application endpoints**. Th...

CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551

Public Sector Action
H score53 First: 04.02.2026 07:50 Last: 04.02.2026 07:50 Sources 1

About this happening: **CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...

Notepad++ hit by network compromise

Incident
H score17 First: 03.02.2026 06:55 Last: 03.02.2026 06:55 Sources 1

About this happening: The **Notepad++** hosting breach enabled attackers to hijack the software update path and selectively redirect some users to **malicious servers**, creating a **supply-chain** ris...

Latest development: 18.02.2026 09:40

Notepad++ released version 8.9.2 to harden the update mechanism after the hijacked update path was used to deliver targeted malware. The release adds a "double lock" design with verification of the signed installer downloaded from GitHub and verification of the signed XML returned by the update server at notepad-plus-plus[.]org, and it also introduces WinGUp hardening including removal of libcurl.dll, removal of CURLSSLOPT_ALLOW_BEAST and CURLSSLOPT_NO_REVOKE, and restriction of plugin management execution to programs signed with the same certificate as WinGUp.

Timeline

  1. 20.03.2026 17:15 2 articles · 3mo ago

    Aviral Srivastava reports CVE-2026-33017

    Initial Disclosure

    Security researcher Aviral Srivastava discovers and reports CVE-2026-33017 in Langflow on February 26, 2026, identifying a critical flaw that would later be tied to unauthenticated remote code execution risk.

    Show sources
  2. 20.03.2026 17:15 1 articles · 3mo ago

    Langflow discloses CVE-2026-33017 in an advisory

    Technical Analysis Update

    Langflow publicly describes CVE-2026-33017 on March 17, 2026, saying the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication and can pass attacker-controlled flow data to exec(), with all versions prior to and including 1.8.1 affected and 1.9.0.dev8 identified as the addressed build.

    Show sources
  3. 20.03.2026 17:15 3 articles · 3mo ago

    Sysdig observes early exploitation of CVE-2026-33017

    Exploitation Observed

    Sysdig reports first exploitation attempts against CVE-2026-33017, saying attackers built working exploits directly from the advisory without public PoC code, moved from scanning to custom Python scripts, exfiltrated keys and credentials, and used 173.212.205[.]251:8443 to stage next-stage payloads.

    Show sources