Langflow Flaw Exploited in 20 Hours as Attackers Hit AI Pipelines

Critical bug turns AI workflow servers into easy targets

Attackers began exploiting CVE-2026-33017 just 20 hours after the Langflow advisory was published, according to Sysdig’s analysis of vulnerable honeypot instances. The flaw is an unauthenticated remote code execution issue in Langflow’s public flow build feature, allowing arbitrary Python execution on exposed servers with a single HTTP request and no login required.

Langflow is widely used to build AI agents and retrieval-augmented generation workflows through a visual interface and API. The vulnerable endpoint, POST /api/v1/build_public_tmp/{flow_id}/flow, accepts attacker-controlled flow data that can include Python code in node definitions. That code is then executed server side without sandboxing. Sysdig notes that attackers were able to build working exploits directly from the advisory text, even though no public proof-of-concept repository was available at the time of the first observed attacks.

What attackers did first

During the first 48 hours after disclosure, Sysdig recorded exploit activity from six unique source IPs. The earliest wave looked like automated scanning. Multiple systems sent nearly identical payloads that executed id, base64-encoded the result, and exfiltrated it to callback infrastructure. The requests explicitly identified themselves as nuclei, showing how fast vulnerability scanning content was operationalized.

Post-compromise activity quickly escalated

After initial validation, attackers moved into post-exploitation. Sysdig observed file-system enumeration, targeted reads of .env files, and attempts to locate databases and configuration files. In one case, two different source IPs used the same exfiltration server at 143.110.183.86:8080, while a stage-two dropper was hosted on 173.212.205.251:8443, suggesting shared infrastructure or a single operator using multiple nodes.

Why Langflow is especially attractive

The appeal is straightforward. Sysdig says Langflow’s attack surface is large, exploitation is simple, and the endpoint is public by design. More importantly, Langflow deployments often contain API keys for OpenAI, Anthropic, AWS, and database backends, meaning one compromise can expose cloud accounts, data stores, and even software supply chain paths.

Bigger lesson for defenders

Sysdig ties this case to a broader trend. Its data says the median time to exploit has collapsed from 771 days in 2018 to just hours in 2024, while organizations still take about 20 days on average to deploy patches. In practice, that means runtime detection, network segmentation, and rapid response now matter as much as patching.

For AI infrastructure teams, the message is clear. Publicly exposed workflow platforms are now being treated like high-value targets the moment a critical bug becomes public.