CISA: New Langflow Flaw Actively Exploited to Hijack AI Workflows

CISA Adds Critical Langflow RCE Flaw to Known Exploited Vulnerabilities Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-33017, a critical unauthenticated remote code execution vulnerability in the Langflow AI agent framework, to its Known Exploited Vulnerabilities (KEV) catalog. The move signals active, in-the-wild exploitation and carries a binding directive for U.S. federal civilian executive branch (FCEB) agencies to remediate within a defined window.

Langflow, an open-source platform for building AI pipelines and agent workflows, is widely deployed by organizations integrating large language models into business processes. The vulnerability was first publicly disclosed in March 2026 and was observed being weaponized within hours of disclosure — with CISA's KEV addition confirming continued active exploitation.

Vulnerability Details

The flaw resides in Langflow's /api/v1/build_public_tmp/{flow_id}/flow endpoint, which was designed to allow unauthenticated users to build and test public flows. Due to missing input validation, the endpoint accepts attacker-supplied flow definitions containing arbitrary Python code embedded in node objects. This code is executed server-side without sandboxing, providing an unauthenticated attacker with full remote code execution on the Langflow server.

Why CISA Is Warning Now

CISA's addition to the KEV catalog comes weeks after the initial disclosure. Security researchers observed the vulnerability being exploited within 20 hours of its public announcement — long before many organizations completed patching cycles. Since then, threat actors have been actively scanning for unpatched Langflow instances exposed to the internet.

Post-exploitation activity observed in the wild includes:

• API key theft: Extraction of AI provider API keys (OpenAI, Anthropic, etc.) from environment variables
• Database credential harvesting: Database connection strings and passwords from .env files
• Supply chain compromise attempts: Manipulation of AI pipeline flows to inject malicious behavior into downstream applications
• Lateral movement: Use of harvested credentials to access connected data stores and internal services

Scope of Exposure

Langflow is commonly deployed in:

• Enterprise AI development environments
• LLM application prototype platforms
• Automated business process integrations
• Research and data science pipelines

Organizations running publicly accessible Langflow instances on the default port without authentication enforcement are at highest risk. CISA has urged all organizations — not just federal agencies — to treat this as a priority remediation.

Remediation Guidance

Immediate Actions

1. Update to the latest Langflow version (patched release post-1.8.1):

pip install --upgrade langflow

2. Audit your deployment for compromise indicators:

# Check environment variables potentially exposed
# Review application logs for unusual POST activity to the build endpoint
grep "build_public_tmp" /var/log/langflow/access.log | \
  awk '{print $1}' | sort | uniq -c | sort -rn

3. Rotate all credentials and API keys on any Langflow instance that was publicly accessible:

• Regenerate all LLM provider API keys (OpenAI, Anthropic, Cohere, etc.)
• Rotate database passwords and connection strings
• Rotate any other secrets referenced in Langflow flows or environment configuration

4. Restrict network access:

# Only allow trusted internal networks to reach Langflow
# Block public access via reverse proxy
location /api/v1/build_public_tmp {
    allow 10.0.0.0/8;
    allow 172.16.0.0/12;
    deny all;
}

5. Enable authentication on all endpoints:

Langflow's configuration should enforce authentication globally. Ensure no endpoints are accessible without valid credentials, and disable the public flow build feature if not required.

Detection

Security teams should monitor for:

# Suspicious patterns in Langflow access logs
POST /api/v1/build_public_tmp/*/flow   # Unauthenticated build endpoint access

Indicators of post-exploitation activity:

• Unexpected outbound connections from the Langflow host to external IPs
• New processes spawned by the Langflow Python process
• Modifications to .env files or credential stores
• Unusual activity in connected databases or API provider dashboards (rate limits, new API key usage)

CISA KEV Implications

Organizations subject to CISA's Binding Operational Directive 22-01 must remediate KEV entries within the specified timeframe. For this vulnerability, FCEB agencies face an enforcement deadline. Commercial organizations are strongly advised to treat this with equivalent urgency given the active exploitation observed and the sensitivity of AI infrastructure credentials.

Key Takeaways

1. CISA has added CVE-2026-33017 to the KEV catalog, confirming active exploitation of the Langflow RCE flaw
2. The vulnerability was first weaponized within 20 hours of disclosure and exploitation has continued
3. Patch immediately: Update Langflow to the latest version and restrict the build API endpoint
4. Rotate all secrets: Any publicly accessible Langflow instance should be assumed compromised — rotate all API keys and credentials
5. AI infrastructure is a high-value target: Credential theft from AI pipeline platforms enables attackers to access expensive API quotas and sensitive training data
6. The CISA KEV addition applies binding remediation deadlines for federal agencies and signals urgency for all organizations

Sources

• CISA: New Langflow flaw actively exploited to hijack AI workflows — BleepingComputer
• CISA Known Exploited Vulnerabilities Catalog — CISA.gov
• CVE-2026-33017 — NIST NVD