45.207.216[.]55 Langflow IDOR-and-RCE campaign
Campaign
Summary
Hide ▲
Show ▼
A sustained Langflow exploitation campaign used CVE-2026-55255 and CVE-2026-33017 against an internet-exposed instance, combining reconnaissance, flow enumeration, IDOR abuse, and repeated RCE attempts over June 22-25, 2026. The activity was tied to 45.207.216[.]55 and returned to the same target after an earlier probe. The operation exposed LLM provider keys and AWS keys, raising the risk of follow-on intrusion and malware delivery.
Related Happenings
PraisonAI missing-authentication flaw actively probed (CVE-2026-44338)
Vulnerability
H score27
First: 14.05.2026 14:40
Last: 14.05.2026 14:40
Sources 1
About this happening:
Within **hours of disclosure**, **PraisonAI CVE-2026-44338** was being **probed on internet-exposed instances**, creating **unauthenticated access** risk for the legacy Flask API...
PraisonAI missing-authentication flaw actively probed (CVE-2026-44338)
VulnerabilityAbout this happening: Within **hours of disclosure**, **PraisonAI CVE-2026-44338** was being **probed on internet-exposed instances**, creating **unauthenticated access** risk for the legacy Flask API...
LofyGang Minecraft LofyStealer campaign
Campaign
H score38
First: 28.04.2026 20:39
Last: 28.04.2026 20:39
Sources 1
About this happening:
The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
LofyGang Minecraft LofyStealer campaign
CampaignAbout this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
Timeline
-
08.07.2026 08:33 1 articles · 1d ago
Operator first probes internet-exposed Langflow instance
Exploitation ObservedOn June 22, 2026, 45.207.216[.]55 first probed an internet-exposed Langflow instance later tied to CVE-2026-55255 and CVE-2026-33017, beginning with application/auth reconnaissance before the later exploitation sequence.
Show sources
- CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV — thehackernews.com — 08.07.2026 08:33
-
08.07.2026 08:33 1 articles · 1d ago
Operator chains Langflow IDOR with repeated RCE attempts
Exploitation ObservedOn June 25, 2026, 45.207.216[.]55 returned to an internet-exposed Langflow instance and ran application/auth reconnaissance, flow enumeration, CVE-2026-55255 IDOR abuse, and a sustained loop of CVE-2026-33017 RCE with outbound connection attempts.
Show sources
- CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV — thehackernews.com — 08.07.2026 08:33
-
08.07.2026 08:33 2 articles · 1d ago
Sysdig details Langflow IDOR-and-RCE campaign
Initial DisclosureSysdig said a lone operator using 45.207.216[.]55 ran a sustained Langflow campaign between June 22 and 25, 2026, combining CVE-2026-55255 cross-tenant IDOR abuse with CVE-2026-33017 RCE to steal LLM provider keys and AWS keys from an internet-exposed instance; CISA also added the exploited flaw to its KEV catalog after active exploitation.
Show sources
- CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV — thehackernews.com — 08.07.2026 08:33
- CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV — thehackernews.com — 08.07.2026 08:33