A critical vulnerability in Langflow, an open source framework for AI agent development, has been exploited in the wild within hours of its disclosure. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-33017, a code injection flaw with a 9.8 CVSS score, to its KEV catalogue after reports of active threat activity emerged soon after disclosure on 17 March.
Sysdig researchers said exploitation attempts were observed less than 24 hours after the advisory, noting that attackers were able to build working exploits even though no public PoC existed. The flaw stems from a POST /api/v1/build_public_tmp/{flow_id}/flow endpoint that allows unauthorised users to create public flows, and if a threat actor supplies the optional data parameter, arbitrary Python code can be executed via exec() with no sandboxing.
Langflow version 1.9.0 mitigates the vulnerability, and users are urged to upgrade promptly, as researchers warned that attackers can extract sensitive data and potentially move laterally to connected services.