A critical unauthenticated remote code execution (RCE) vulnerability in Langflow, tracked as CVE-2026-33017, is being actively exploited in a targeted cryptocurrency-mining campaign.
Documented by Trend Micro’s TrendAI Research, the flaw carries a CVSS v4.0 score of 9.3 and affects all Langflow versions prior to 1.9.0, with in-the-wild exploitation observed within just 20 hours of public disclosure.
The flaw resides in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, which accepts an attacker-controlled code field and evaluates it directly as Python within the server’s process context no authentication required.
Langflow RCE Vulnerability Exploited
Compounding the exposure, Langflow ships with AUTO_LOGIN enabled by default, granting any unauthenticated visitor a superuser token and the ability to create a public flow on demand.
This marks the second time in under a year that Langflow has shipped a vulnerability in this class. The first, CVE-2025-3248, was exploited by the Flodrix DDoS botnet in June 2025 using an identical code-injection primitive.
The entire compromise begins with a single injected Python line that fetches and executes a remote bash dropper, isp.sh.
The dropper creates a hidden persistence directory at /var/tmp/.xlamb/, downloads the primary malware binary lambsys.elf, and launches it silently in the background.
Notably, the dropper doubles as an SSH-key-reuse worm, enumerating ~/.ssh/known_hosts and agent sockets to propagate laterally via SCP push delivery reaching even hosts with no direct internet access.
The core payload is a UPX-packed Go binary whose earliest known variant dates to May 2024, predating this campaign by 22 months. The 2026 build is 48% smaller than its predecessor, with its VirusTotal detection rate dropping from 31/66 to just 4/66, reflecting active evasion engineering by the threat operator.
Upon execution, lambsys.elf terminates 39 rival cryptominer processes including Kinsing, WatchDog, and Outlaw variants and kills processes bound to 13 common mining pool ports.
It then dismantles host defenses by disabling AppArmor, SELinux, UFW, iptables, the kernel NMI watchdog, and Alibaba Cloud’s Aliyun agent, signaling deliberate targeting of cloud-hosted AI infrastructure.
Log deletion via /var/log/syslog removal and dual persistence through a five-minute cron job and a one-minute watchdog loop complete the post-exploitation setup.
The binary ultimately deploys a customized XMRig build named procq, hidden in a triple-dot-space directory designed to evade casual ls inspection.
The miner connects over TCP/3333, using a spoofed user-agent (SystemMonitor/6.25.0) and performs geo-gating via ipinfo.io to exclude victims in the operator’s own jurisdiction.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
83[.]142[.]209[.]214 | IP Address | C2 server / payload staging host |
hxxp[://]83[.]142[.]209[.]214:8080/isp.sh | URL | Bash dropper delivery URL |
46096a72d84db5f1dafd944fcf6571c8 | MD5 | ks.tar — XMRig miner archive |
0ee284cc-0eb1-493f-bc60-94fa8d1cfd18 | UUID | Hardcoded Langflow flow_id |
/var/tmp/.xlamb/ | File Path | Hidden malware persistence directory |
71af8bd9… | SHA256 | lambsys.elf — core malware binary |
Mitigation
Organizations running Langflow should take immediate action:
- Upgrade to Langflow version 1.9.0 or later
- Restrict public internet access to all Langflow instances
- Set
AUTO_LOGIN=falsein environment configuration - Audit whether the service runs under a privileged account
- Enforce the Spamhaus DROP blocklist at the egress firewall to silently block all C2 beacons
Any discovery of lambsys artifacts must be treated as a full SSH key exposure incident not a single-host compromise. All SSH keys should be rotated immediately, and every SSH-reachable connected system must be investigated for signs of lateral movement.
No Comment! Be the first one.