Critical RCE in Langflow (CVE‑2026‑33017) & Trivy Supply‑Chain Compromise (CVE‑2026‑33634) Threaten AI Workflows and Container Scanning
What It Is – Two high‑severity vulnerabilities were added to CISA’s Known Exploited Vulnerabilities catalog. CVE‑2026‑33017 is a critical unauthenticated remote‑code‑execution flaw in Langflow 1.8.2 and earlier. CVE‑2026‑33634 is a malicious‑code injection in Aqua Security’s Trivy scanner that enables a supply‑chain compromise.
Exploitability – Langflow’s flaw was weaponised within 20 hours of advisory publication; attackers built exploits without a public PoC and began scanning the Internet. Trivy’s backdoor was observed in the wild on March 19 2026, attributed to the TeamPCP threat group. Both are actively exploited.
Affected Products – Langflow (open‑source AI‑agent framework, ≤ v1.8.2). Aqua Security Trivy (container image scanner, all versions containing the malicious payload).
TPRM Impact –
- Credential theft from compromised Langflow instances can cascade to downstream databases and SaaS services.
- Trivy’s supply‑chain breach can inject malicious code into any CI/CD pipeline that relies on its scanning results, affecting downstream applications and customers.
Recommended Actions –
- Prioritise patching Langflow to ≥ v1.8.3 and apply the Trivy remediation released by Aqua Security.
- Conduct immediate inventory of all third‑party services that consume Langflow APIs or Trivy scan results.
- Deploy network segmentation and runtime detection to limit lateral movement from compromised instances.
- Review and rotate any credentials or API keys exposed in logs or environment variables.
- Update incident‑response playbooks to include rapid‑patch windows for zero‑day disclosures.
Source: Help Net Security