On March 25, 2026, CISA added CVE-2026-33017 to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation of a critical remote code execution vulnerability in Langflow, the open-source AI workflow builder used for building LLM-powered applications.
The Vulnerability
CVE-2026-33017 (CVSS 9.3) is an unauthenticated code injection flaw in Langflow's public flow build endpoint. The endpoint accepts a data parameter containing arbitrary Python code in node definitions and passes it directly to a code execution function with no sandboxing. A single HTTP POST request with a malicious JSON payload achieves remote code execution with server-level privileges.
Security researcher Aviral Srivastava discovered and reported the vulnerability on February 26, 2026. The flaw was publicly disclosed on March 17.
20 Hours to Exploitation
According to the Sysdig Threat Research Team, exploitation attempts were observed within 20 hours of the public advisory — before any public proof-of-concept code existed. Attackers reverse-engineered working exploits directly from the advisory text.
This speed of exploitation underscores a consistent pattern in AI/ML infrastructure vulnerabilities: the attack surface is expanding faster than defensive tooling can track it.
Impact
Compromised Langflow instances can expose:
- API keys and credentials for AI providers (OpenAI, Anthropic, AWS)
- Database connection strings and vector store access
- Lateral movement opportunities to connected cloud accounts
- Supply chain risk if Langflow is used in production AI pipelines
Remediation
All Langflow versions through 1.8.1 are affected. JFrog Security Research confirmed that version 1.8.2 is also still vulnerable despite initial confusion. Organisations must upgrade to version 1.9.0 or later, which removes the vulnerable data parameter entirely.
CISA set April 8, 2026 as the federal agency remediation deadline for Federal Civilian Executive Branch systems.
Context
CVE-2026-33017 follows a growing pattern of critical vulnerabilities in AI development infrastructure. For organisations subject to NIS2 or DORA, the 20-hour exploitation window highlights why vulnerability management processes (ISO 27001 Annex A control 8.8) must account for near-zero-day response timelines in internet-facing AI tooling.