CISA warns that CVE-2026-33017, a critical code injection vulnerability in the Langflow AI-agent framework, is being actively exploited for unauthenticated remote code execution that can build public flows. Endor Labs observed exploitation beginning about 20 hours after disclosure with rapid scanning, Python-based attacks, and data harvesting; agencies are urged to upgrade to Langflow 1.9.0 or disable the vulnerable endpoint. #CVE-2026-33017 #Langflow
Keypoints
- CVE-2026-33017 is a critical (9.3) code injection vulnerability in Langflow allowing arbitrary Python execution via a single crafted HTTP request.
- CISA added the flaw to its Known Exploited Vulnerabilities list and ordered federal agencies to patch or mitigate by April 8.
- Endor Labs reported attackers began automated scanning ~20 hours after the advisory, with exploitation and data (.env, .db) harvesting following within 24 hours.
- Langflow versions 1.8.1 and earlier are affected; administrators should upgrade to 1.9.0 or disable/restrict the vulnerable endpoint and avoid exposing Langflow to the internet.
- Langflowβs widespread use and a prior CVE-2025-3248 RCE advisory increase its attractiveness to attackers, so rotate credentials and monitor outbound traffic when incidents are suspected.