Critical Langflow RCE Flaw Exploited in the Wild Within Hours of Disclosure

Sysdig's honeypots registered the first automated scanning probes against a freshly disclosed Langflow vulnerability at 16:04 UTC on March 18, 2026, roughly 20 hours after the advisory went public. The first exploitation attempt occurred within 20 hours, while the first attack to successfully exfiltrate sensitive data was seen shortly before the 25-hour mark. No public proof-of-concept code existed when those probes landed.

On March 17, 2026, a critical vulnerability was disclosed in Langflow, the open-source visual framework for building AI agents and Retrieval-Augmented Generation (RAG) pipelines. The vulnerability, CVE-2026-33017, is an unauthenticated remote code execution flaw in the public flow build endpoint that allows attackers to execute arbitrary Python code on any exposed Langflow instance, with no credentials required and only a single HTTP request. Langflow version 1.8.1 was released on March 17 with patches for the critical vulnerability.

The mechanics of the flaw are straightforward, which is precisely what made it so dangerous so quickly. CVE-2026-33017 affects the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, which is designed to allow unauthenticated users to build public flows. The vulnerability arises because this endpoint accepts attacker-supplied flow data containing arbitrary Python code in node definitions, which is then executed server-side without sandboxing. When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data containing arbitrary Python code in node definitions instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution.

Sysdig first observed automated scanning activity on its CVE-2026-33017 honeypots on March 18 at 16:04 UTC, noting four IP addresses sending identical payloads within minutes of one another. This suggests one attacker using proxies or virtual private server (VPS) nodes to cycle through IP addresses rather than distinct attackers. The attacker deployed a payload that executes id, encodes the output in base64, and sends it to an interactsh callback server, likely probing for RCE-vulnerable instances. Within 48 hours of the vulnerability being publicly disclosed, Sysdig observed exploitation attempts coming from six unique source IPs. During the initial phase of exploitation, mass scans were observed coming from four IPs, delivering the same payload, likely using an automated scanning tool. The second phase involved a different IP address and moved to active reconnaissance, employing pre-staged infrastructure to deploy payloads after validation. Data exfiltration was observed during the third phase, sourced from a different IP address. The custom scripts deployed during the second and third phases were seen sending data to the same command-and-control server.

Attackers built working exploits directly from the advisory description and began scanning the internet for vulnerable instances. Exfiltrated information included keys and credentials, which provided access to connected databases and potential software supply chain compromise. Within 20 hours of the advisory going public, attackers began harvesting API keys for OpenAI, Anthropic, and AWS from compromised instances.

The downstream consequences of that credential harvest concern security professionals more than the initial code execution itself. Ram Varadarajan, CEO at Acalvio, told SC Media in an email: "Attackers are using Langflow as a pivot into connected AI pipelines, harvesting the API keys and database credentials that agentic workflows require to function, which means the downstream blast radius (poisoned pipelines, compromised tool-calls, corrupted retrieval stores) could dwarf the initial RCE."

Langflow is a popular open-source framework for building agentic AI workflows, with more than 145,000 stars on GitHub. Langflow instances are configured with API keys for OpenAI, Anthropic, AWS, and database connections. Compromising one instance can provide lateral access to cloud accounts and data stores. That breadth of integration is what makes unpatched deployments particularly consequential.

CVE-2026-33017 is distinct from CVE-2025-3248, an earlier Langflow RCE added to CISA's Known Exploited Vulnerabilities catalog in May 2025. CVE-2026-33017 had not been added to CISA's Known Exploited Vulnerabilities catalog as of March 22, 2026, despite confirmed active exploitation.

The speed of weaponization fits a documented and worsening trend. Sysdig cited figures from the Zero Day Clock initiative which revealed that median time-to-exploit collapsed from 771 days in 2018 to just hours in 2024, and that by 2023, 44% of exploited vulnerabilities were weaponized within 24 hours of disclosure, and 80% of public exploits appeared before the official advisory was published. The median time for organizations to deploy patches is approximately 20 days, meaning defenders are exposed and vulnerable for far too long. Threat actors are monitoring the same advisory feeds that defenders use, and they are building exploits faster than most organizations can assess, test, and deploy patches. Organizations must completely reconsider their vulnerability programs to meet reality.

CVE-2026-33017 is fixed in Langflow version 1.9.0. Any organization running an earlier version with a publicly accessible Langflow instance should treat those deployments as potentially compromised, rotate all stored API keys and database credentials, and update immediately.