{"id":16013,"date":"2026-03-27T12:05:59","date_gmt":"2026-03-27T12:05:59","guid":{"rendered":"https:\/\/newestek.com\/?p=16013"},"modified":"2026-03-27T12:05:59","modified_gmt":"2026-03-27T12:05:59","slug":"attackers-exploit-critical-langflow-rce-within-hours-as-cisa-sounds-alarm","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16013","title":{"rendered":"Attackers exploit critical Langflow RCE within hours as CISA sounds alarm"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Attackers have exploited a critical Langflow RCE within hours of disclosure, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to formally flag it for urgent remediation.<\/p>\n

The flaw, which allows running arbitrary code on vulnerable Langflow instances without >credentials, was weaponized within 20 hours of the open-source AI-pipeline tool\u00a0disclosing<\/a>\u00a0it.<\/p>\n

According to a Sysdig report<\/a>, crooks started hitting a fleet of honeypot nodes with vulnerable instances across multiple cloud providers and regions right after they went live. Sysdig observed four such attempts within hours of deployment, with one attacker progressing to environment variable exfiltration.<\/p>\n

\u201cThis is notable because no public POC repository existed on GitHub at the time of the first attack,\u201d Sysdig researchers said. \u201cThe advisory itself contained enough detail (the vulnerable endpoint path and the mechanism for code injection via flow node definitions) for attackers to construct a working exploit without additional research.\u201d<\/p>\n

CISA has added<\/a> the flaw to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to patch their systems by April 8, 2026.<\/p>\n

<\/a>A default setting allows code injection<\/h2>\n

The vulnerability, tracked as CVE-2026-33017, stems from an exposed API endpoint in Langflow, the open-source visual framework for building AI agents and Retrieval-Augmented Generation (RAG<\/a>) pipelines.<\/p>\n

The exposure allows attackers to submit malicious workflow data containing embedded Python code. Instead of using trusted data, the application executes this attacker-supplied code without any sandboxing, leading to unauthenticated remote code execution on affected systems, according to an NVD description<\/a>.<\/p>\n

\u201cThe build_public_tmp endpoint is designed to be unauthenticated (for public flows) but incorrectly accepts attacker-supplied flow data containing arbitrary executable code,\u201d the description added. \u201cThis is distinct from CVE-2025-3248<\/a>, which fixed \/api\/v1\/validate\/code by adding authentication.\u201d<\/p>\n

The Code Injection flaw affects Langflow versions up to (excluding) 1.8.2, and has been fixed in v1.9.0. It received a critical CVSS rating of 9.3 out of 10, owing to its \u201cunauthenticated\u201d and simple exploitability, massive AI attack surface, and high impact.<\/p>\n

Pace of exploit raises concerns<\/h2>\n

Exploitation activity was observed less than a day after the vulnerability became public, which, Sysdig noted, demonstrates threat actors quickly operationalizing new vulnerabilities (probably through automation).<\/p>\n

Attackers could build a working exploit just from the advisory description and quickly start scanning for flawed instances. \u201cExfiltrated information included keys and credentials, which provided access to connected databases and potential software supply chain compromise,\u201d Sysdig researchers said.<\/p>\n

With patch windows collapsing significantly, runtime detection<\/a> remains a primary and the only option, Sysdig noted. \u201cEvery attacker in this campaign followed the same post-exploitation playbook: execute a shell command via Python\u2019s os.popen(), then exfiltrate the output over HTTP,\u201d it said, adding that runtime rules can detect these attempts.<\/p>\n

The way runtime detection can help is by working on \u201cday zero,\u201d the researchers explained. \u201cThese rules do not require a signature for CVE-2026-33017 specifically because they detect the exploitation behavior, not the vulnerability. The same rules would fire regardless of whether the initial access came through CVE-2026-33017, CVE-2025-3248, or any other RCE in an application.\u201d<\/p>\n

Sysdig also shared a list of indicators of compromise (IOCs), including attacker source IPs, C2 and staging infrastructure detected, Dropper URLs, and interactsh<\/a> callback domains. It recommends immediately upgrading to patched versions, restricting exposure, and monitoring for anomalous activity, emphasizing that exposed instances should be treated as potentially compromised.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Attackers have exploited a critical Langflow RCE within hours of disclosure, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to formally flag it for urgent remediation. The flaw, which allows running arbitrary code on vulnerable Langflow instances without >credentials, was weaponized within 20 hours of the open-source AI-pipeline tool\u00a0disclosing\u00a0it. According to a Sysdig report, crooks started hitting a fleet of honeypot nodes with vulnerable… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16013","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16013","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16013"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16013\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16013"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16013"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16013"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}