THREAT actors began exploiting a critical Langflow vulnerability roughly 20 hours after public disclosure, according to Sysdig, with CVE-2026-33017 carrying a CVSS score of 9.3 and enabling unauthenticated remote code execution via a flawed POST endpoint. Langflow version 1.8.1, released on March 17, 2026, included patches for this issue, which allows attackers to supply Python code through flow node definitions to run on the server without sandboxing.
Sysdig notes that a single HTTP request can trigger the bug, and exploitation started within hours of public disclosure. Within 48 hours of the vulnerability being disclosed, six unique source IPs were observed attempting exploitation, with mass scans initially from four IPs and later active reconnaissance from different addresses. The attackers have been seen using the compromised access to steal keys and credentials needed to reach connected databases, potentially enabling supply chain attacks.
Data exfiltration was observed during the third phase, with payloads sent to a common command-and-control server, suggesting a single operator may be using multiple proxies or infrastructure. According to SecurityWeek, the advisory provided detail sufficient for attackers to construct a working exploit without additional research.