CISA: New Langflow flaw actively exploited to hijack AI workflows

The Cybersecurity and Infrastructure Security Agency (CISA) is warning that hackers are actively exploiting a critical vulnerability identified as CVE-2026-33017, which affects the Langflow framework for building AI agents.

The security issue received a critical score of 9.3 out of 10 and can be leveraged for remote code execution, allowing threat actors to build public flows without authentication.

The agency added the issue to the list of Known Exploited Vulnerabilities, describing it as a code injection vulnerability.

Researchers at application security company Endor Labs claim that hackers started exploiting CVE-2026-33017 on March 19, about 20 hours after the vulnerability advisory became public.

No public proof-of-concept (PoC) exploit code existed at the time, and Endor Labs believes that attackers built exploits directly from the information included in the advisory.

Automated scanning activity began in 20 hours, followed by exploitation using Python scripts in 21 hours, and data (.env and .db files) harvesting in 24 hours.

Langflow is a popular open-source visual framework for building AI workflows with 145,000 stars on GitHub. It provides a drag-and-drop interface for connecting nodes into executable pipelines, along with a REST API for running them programmatically.

The tool has widespread adoption across the AI development ecosystem, making it an attractive target for hackers.

In May 2025, CISA issued another warning about active exploitation in Langflow, targeting CVE-2025-3248, a critical API endpoint flaw that allows unauthenticated RCE and potentially leads to full server control.

The most recent flaw, CVE-2026-33017, lets attackers execute arbitrary Python code impacts versions 1.8.1 and earlier of Langflow, and could be exploited via a single crafted HTTP request due to unsandboxed flow execution.

CISA did not mark the flaw as exploited by ransomware actors, but gave federal agencies until April 8 to apply the security updates or mitigations, or stop using the product.

System administrators are recommended to upgrade to Langflow version 1.9.0 or later, which addresses the security problem, or disable/restrict the vulnerable endpoint.

Endor Labs also advised not to expose Langflow directly to the internet, to monitor outbound traffic, and to rotate API keys, database credentials, and cloud secrets when suspicious activity is detected.

CISA’s deadline formally applies to organizations covered by Binding Operational Directive (BOD) 22-01, but private sector companies, state and local governments, and other non-FCEB entities are also advised to treat it as a benchmark and respond accordingly.