Find notable cyber news and cases, enriched with sources, timelines, and signals.

45.207.216[.]55 Langflow IDOR-and-RCE campaign

Campaign
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

A sustained Langflow exploitation campaign used CVE-2026-55255 and CVE-2026-33017 against an internet-exposed instance, combining reconnaissance, flow enumeration, IDOR abuse, and repeated RCE attempts over June 22-25, 2026. The activity was tied to 45.207.216[.]55 and returned to the same target after an earlier probe. The operation exposed LLM provider keys and AWS keys, raising the risk of follow-on intrusion and malware delivery.

Related Happenings

PraisonAI missing-authentication flaw actively probed (CVE-2026-44338)

Vulnerability
H score27 First: 14.05.2026 14:40 Last: 14.05.2026 14:40 Sources 1

About this happening: Within **hours of disclosure**, **PraisonAI CVE-2026-44338** was being **probed on internet-exposed instances**, creating **unauthenticated access** risk for the legacy Flask API...

LofyGang Minecraft LofyStealer campaign

Campaign
H score38 First: 28.04.2026 20:39 Last: 28.04.2026 20:39 Sources 1

About this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...

Timeline

  1. 08.07.2026 08:33 1 articles · 1d ago

    Operator first probes internet-exposed Langflow instance

    Exploitation Observed

    On June 22, 2026, 45.207.216[.]55 first probed an internet-exposed Langflow instance later tied to CVE-2026-55255 and CVE-2026-33017, beginning with application/auth reconnaissance before the later exploitation sequence.

    Show sources
  2. 08.07.2026 08:33 1 articles · 1d ago

    Operator chains Langflow IDOR with repeated RCE attempts

    Exploitation Observed

    On June 25, 2026, 45.207.216[.]55 returned to an internet-exposed Langflow instance and ran application/auth reconnaissance, flow enumeration, CVE-2026-55255 IDOR abuse, and a sustained loop of CVE-2026-33017 RCE with outbound connection attempts.

    Show sources
  3. 08.07.2026 08:33 2 articles · 1d ago

    Sysdig details Langflow IDOR-and-RCE campaign

    Initial Disclosure

    Sysdig said a lone operator using 45.207.216[.]55 ran a sustained Langflow campaign between June 22 and 25, 2026, combining CVE-2026-55255 cross-tenant IDOR abuse with CVE-2026-33017 RCE to steal LLM provider keys and AWS keys from an internet-exposed instance; CISA also added the exploited flaw to its KEV catalog after active exploitation.

    Show sources