If you’re running Langflow — the popular open-source tool for building AI agent workflows and RAG pipelines — you need to patch it now.
On March 17, 2026, security researchers disclosed CVE-2026-33017, a critical vulnerability (CVSS 9.3) in Langflow that allows an attacker to take full control of the server with a single unauthenticated HTTP request. The Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities catalog, and federal agencies have until April 8 to patch or stop using the product.
What the Vulnerability Does
The flaw lives in a public-facing API endpoint — POST /api/v1/build_public_tmp/{flow_id}/flow — designed to let users build shareable flows. The problem: the endpoint accepts arbitrary Python code in node definitions and executes it server-side with no sandboxing, no authentication, and no guardrails.
That means anyone who can reach the endpoint over the internet can run arbitrary code on your server in a single request.
Security researchers at Sysdig observed the first exploitation attempts within 20 hours of the advisory going public — before any public proof-of-concept code existed. Attackers reverse-engineered the vulnerability from the advisory itself and started scanning. Within 24 hours, they were targeting .env and .db files to harvest API keys, database credentials, and cloud secrets.
The attack pattern is automated and systematic. Tools like nuclei were scanning for vulnerable instances within the first hour after discovery. Custom exploitation followed. Data harvesting came last.
The vulnerability affects all versions of Langflow prior to 1.9.0.
Why This Matters for AI Businesses
Langflow is widely used because it makes it easy to build visual AI agent workflows and connect models to data. That’s also exactly what makes this vulnerability dangerous.
A typical Langflow deployment holds keys to your OpenAI account, your Anthropic API, your vector database, your CRM or data warehouse connections — sometimes everything the AI agents need to operate. Compromising one Langflow instance can mean compromising all of it.
CISA’s decision to add CVE-2026-33017 to the KEV catalog is significant. That list is reserved for vulnerabilities with confirmed, active exploitation in the wild — not theoretical risks. This is a real attack happening right now.
What To Do Immediately
If you run Langflow, do these things today:
-
Upgrade to Langflow 1.9.0 or later. This is the patched version. Run it.
-
Do not expose Langflow directly to the internet. It should be behind a VPN or internal network boundary. If it’s public-facing, that’s your immediate problem.
-
Rotate all credentials. Assume any API keys, database passwords, or cloud secrets stored in or accessible through your Langflow instance may be compromised. Rotate them all — OpenAI keys, Anthropic keys, AWS access keys, database connections. Don’t wait to investigate first; rotate and investigate simultaneously.
-
Audit outbound traffic. Look for unexpected connections from the Langflow server in the 24-48 hours after March 17. Attackers harvested data methodically.
-
If you can’t patch immediately, take it offline. CISA is explicit: if mitigation isn’t possible, stop using the product until you can apply the fix.
The Bigger Picture: AI Tool Security Is Lagging
This isn’t the first Langflow vulnerability — the platform was previously exploited through the same exec() call pattern, earning the headline “Langflow Got Hacked Twice Through the Same exec() Call.”
That’s a pattern worth noting. The AI tooling ecosystem has grown faster than its security practices. Tools that were built to make AI accessible quickly have sometimes cut corners on hardening. And attackers have noticed.
The consequences of a compromised AI pipeline aren’t just data loss. If agents have write access — to databases, communication systems, external APIs — an attacker who takes over the pipeline can take over the agents. That’s a different category of risk than a typical server compromise.
For Businesses Evaluating AI Infrastructure
The Langflow incident is a useful lens for evaluating any open-source AI tooling you deploy:
Where does it run? Tools running on internal networks with no public exposure have dramatically lower risk profiles than internet-facing deployments.
What credentials does it hold? Any tool that aggregates access to multiple systems is a high-value target. Minimize what secrets are stored in the tool itself — use secrets managers, rotate frequently.
Is it maintained? Langflow has active maintainers and issued a patch within days of disclosure. Many AI tools in the ecosystem don’t have that. Check the project’s responsiveness to past vulnerabilities before deploying.
Does your team know about it? The biggest exposure often comes from shadow IT — developers who deployed Langflow for a project and didn’t tell the security team. Audit what’s running.
Enterprise DNA put together a free field guide on exactly this: the full Claude ecosystem, Claude Code, and how to roll agents out without breaking things. Get the guide.
Source
BleepingComputer
Free Resource
Going deeper with Claude?
Get the free 32-page implementation guide for ANZ teams.
Your guide is ready
Check your downloads folder. If it did not open automatically, use the button below.
Download the Guide