Critical RCE in Langflow AI Workflow Framework (CVE‑2026‑33017) Actively Exploited to Hijack AI Pipelines
What It Is – A code‑injection flaw (CVE‑2026‑33017) in the open‑source Langflow framework allows unauthenticated attackers to execute arbitrary Python code on the host system. The vulnerability is rated CVSS 9.3 (Critical) and enables the creation of public AI flows without any authentication.
Exploitability – CISA has placed the issue on its Known Exploited Vulnerabilities list. Exploitation began within 20 hours of the advisory’s public release, with automated scanning and Python‑based payloads observed in the wild. No public PoC was released, but attackers built exploits directly from the advisory details.
Affected Products – Langflow 1.8.1 and earlier (open‑source visual AI workflow builder). The flaw is triggered via a single crafted HTTP request to the unsandboxed flow‑execution endpoint.
TPRM Impact – Organizations that embed Langflow in internal AI pipelines or expose its REST API to external users face a supply‑chain risk: attackers can harvest environment files (.env), database dumps (.db), and potentially pivot to other services. The wide adoption of Langflow across SaaS, cloud‑native, and data‑science environments amplifies the threat surface.
Recommended Actions –
- Upgrade all Langflow deployments to version 1.9.0 or later immediately.
- If upgrade is not feasible, disable or strictly restrict the vulnerable endpoint (e.g., firewall, API gateway).
- Do not expose Langflow directly to the Internet; enforce network segmentation.
- Rotate API keys, database credentials, and any cloud secrets stored in
.envfiles. - Enable outbound traffic monitoring for unexpected Python execution or data exfiltration.
- Apply the same mitigations to any third‑party services that embed Langflow as a component.
Source: BleepingComputer – CISA: New Langflow flaw actively exploited to hijack AI workflows