The US cybersecurity agency CISA has flagged a critical code injection flaw in Langflow, the open-source visual framework widely used to build AI agent workflows. The vulnerability, CVE-2026-33017, carries a CVSS score of 9.3 and enables remote code execution without requiring any authentication. CISA added it to its Known Exploited Vulnerabilities (KEV) catalog, meaning active exploitation has been confirmed.
Langflow has over 145,000 stars on GitHub and is popular for its drag-and-drop interface that connects AI nodes into executable pipelines via a REST API. That popularity makes it an attractive target.
Exploitation followed disclosure within 20 hours
According to Sysdig, attackers started scanning for vulnerable instances roughly 20 hours after the advisory was published on March 17. Exploitation using Python scripts followed within 21 hours, and data harvesting targeting .env and .db files began after 24 hours. No public proof-of-concept code existed at the time. Endor Labs believes attackers reconstructed exploits directly from the advisory.
The flaw resides in Langflow’s public flow build endpoint. When an attacker supplies a crafted data parameter, the code is passed to Python’s exec() function with zero sandboxing, enabling unauthenticated RCE via a single HTTP request. Versions 1.8.1 and earlier are affected.
This is not the first time Langflow has attracted CISA’s attention. In May 2025, the agency warned of active exploitation of CVE-2025-3248, another critical API endpoint flaw allowing unauthenticated RCE. That’s not an isolated case either: n8n, a comparable AI workflow tool, also faced a critical vulnerability with a CVSS of 10.0 in January 2026, enabling full instance takeover. It appears agentic offerings with a low barrier to entry must do more to prevent malicious use, at least via such vulnerabilities.
Remediation: patch to version 1.9.0 or shut down
System administrators running Langflow should upgrade to version 1.9.0 or later, which addresses CVE-2026-33017. If upgrading is not immediately possible, disabling or restricting the vulnerable endpoint is recommended. Sysdig advises against exposing Langflow directly to the internet, and recommends monitoring outbound traffic and rotating API keys, database credentials, and cloud secrets if suspicious activity is detected.
CISA’s April 8 deadline formally covers U.S. federal agencies under Binding Operational Directive 22-01, but the agency recommends all organizations treat it as a benchmark.