Security Breach: Hackers Exploit New Langflow Flaw to Hijack AI Workflows

CISA Warns of Active Exploitation of Critical Langflow Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding the active exploitation of a critical vulnerability known as CVE-2026-33017. This vulnerability affects the Langflow framework, which is used for constructing AI agents.

Scoring a 9.3 out of 10 in terms of severity, the security issue allows for remote code execution, enabling malicious actors to create public flows without authentication.

CISA has classified this vulnerability as a code injection flaw and has included it in the list of Known Exploited Vulnerabilities.

According to researchers at Endor Labs, hackers began exploiting CVE-2026-33017 shortly after the vulnerability advisory was made public on March 19. Despite the absence of a public proof-of-concept exploit code, attackers were able to craft exploits based on the information provided in the advisory.

The exploitation timeline reveals that automated scanning commenced within 20 hours, followed by exploitation through Python scripts in 21 hours, and data harvesting (including .env and .db files) in 24 hours.

Langflow, a widely-used open-source visual framework for creating AI workflows with a substantial following on GitHub, offers a user-friendly interface for building executable pipelines.

In May 2025, CISA issued another alert regarding active exploitation in Langflow, this time targeting CVE-2025-3248, which exposes a critical API endpoint flaw facilitating unauthenticated remote code execution.

The most recent vulnerability, CVE-2026-33017, allows attackers to execute arbitrary Python code on versions 1.8.1 and earlier of Langflow. This flaw can be exploited through a carefully crafted HTTP request due to unsandboxed flow execution.

CISA has set a deadline of April 8 for federal agencies to apply security updates or mitigations for CVE-2026-33017. System administrators are advised to upgrade to Langflow version 1.9.0 or later to address the security issue.

Endor Labs recommends not exposing Langflow directly to the internet, monitoring outbound traffic, and rotating API keys, database credentials, and cloud secrets in case of suspicious activity.

While CISA’s deadline primarily applies to organizations covered by Binding Operational Directive (BOD) 22-01, other entities are encouraged to adhere to it as a best practice.

Discover insights on evolving malware threats in the Red Report 2026. Learn how new malicious techniques evade detection and enhance your security posture.

Access our analysis of 1.1 million malicious samples to uncover key trends and fortify your defenses.

Download The Report