Data & Insight

Langflow CVE-2026-33017: critical RCE under active exploit

RobertUpdated Jun 30, 20266 min read
Attestd API response showing risk_state critical with five simultaneous risk factors for Langflow, including active exploitation and no authentication required

Langflow RCE under active exploitation: what a critical API response looks like#

June 30, 2026

CVE-2026-33017 is an unauthenticated remote code execution vulnerability in Langflow, the popular open-source AI application builder. CVSS score: 9.3. Actively exploited in the wild. Threat actors are using it to deploy Monero cryptocurrency miners, establish persistence, and propagate laterally to SSH-reachable hosts. Trend Micro's analysis documents a 19-day attack window between March 27 and April 15, 2026, with the campaign now subject to a full technical writeup.

This post is not primarily about the attack. It is about what the API returns when you query an actively-exploited AI infrastructure product, and why that response pattern is the thing an autonomous system needs.


What the API returns#

bash
curl "https://api.attestd.io/v1/check?product=langflow&version=1.0.0" \
  -H "Authorization: Bearer $ATTESTD_API_KEY"
json
{
  "product": "langflow",
  "version": "1.0.0",
  "supported": true,
  "risk_state": "critical",
  "risk_factors": [
    "active_exploitation",
    "remote_code_execution",
    "no_authentication_required",
    "internet_exposed_service",
    "patch_available"
  ],
  "actively_exploited": true,
  "remote_exploitable": true,
  "authentication_required": false,
  "patch_available": true,
  "fixed_version": "1.3.0",
  "confidence": 0.5,
  "cve_ids": [
    "CVE-2024-48061", "CVE-2024-7297", "CVE-2024-9277",
    "CVE-2025-3248", "CVE-2025-34291", "CVE-2025-57760",
    "CVE-2025-68477", "CVE-2025-68478", "CVE-2026-10561",
    "CVE-2026-12822", "CVE-2026-21445", "CVE-2026-27966",
    "CVE-2026-33017", "CVE-2026-33053", "CVE-2026-33475",
    "CVE-2026-33484", "CVE-2026-33497", "CVE-2026-33760",
    "CVE-2026-33873", "CVE-2026-34046", "CVE-2026-42048",
    "CVE-2026-42867", "CVE-2026-48519", "CVE-2026-48520",
    "CVE-2026-55255", "CVE-2026-55423", "CVE-2026-55446",
    "CVE-2026-55447", "CVE-2026-55450", "CVE-2026-6542",
    "CVE-2026-7524", "CVE-2026-7528", "CVE-2026-7664",
    "CVE-2026-7787"
  ],
  "last_updated": "2026-06-30T18:16:37.929674Z",
  "supply_chain": {
    "compromised": false,
    "sources": [],
    "malware_type": null,
    "description": null,
    "advisory_url": null,
    "compromised_at": null,
    "removed_at": null
  },
  "typosquat": null
}

Five simultaneous risk factors. risk_state: critical. actively_exploited: true. authentication_required: false. patch_available: true. fixed_version: 1.3.0.

An autonomous system querying this response does not need to interpret a CVSS score, read a prose advisory, or synthesise across multiple data sources. It branches on risk_state: critical and acts. The patch version is in the response. The exploitation status is in the response. No human needs to be in the loop for the decision to be made correctly.


The confidence score at 0.5#

The confidence field reflects the quality and completeness of the underlying data, not doubt about the critical signals themselves. Langflow has 34 CVEs in the current response, a large and rapidly growing set with several very recent entries. When CVE volume is high and new records are still being published across an active vulnerability cluster, the synthesis layer applies a lower confidence to the aggregate picture because the full extent of affected version ranges may still be resolving across NVD, CISA KEV, and vendor advisories.

What this means in practice: the actively_exploited: true and risk_state: critical signals are sourced from verified CISA KEV data and are not subject to the uncertainty the confidence score reflects. The 0.5 confidence applies to the completeness of the version range picture across all 34 CVEs, not to whether this product at this version is in a critical, actively-exploited state. It is.

For an autonomous system making a deployment decision, the correct behaviour on a 0.5 confidence response with risk_state: critical is the same as on a 0.95 confidence response with the same risk state: do not proceed without explicit operator override.


What happened with CVE-2026-33017#

Langflow exposes an unauthenticated API endpoint. CVE-2026-33017 allows an attacker to evaluate arbitrary Python code through that endpoint without authentication. A single line of Python pulls down a shell script, which fetches and executes a miner binary as a detached process.

The miner binary, an ELF executable named "lambsys" written in Go, terminates competing cryptocurrency mining processes, disables host-level security controls including AppArmor, UFW, iptables, and SELinux, establishes cron-based persistence, and propagates to other systems through reused SSH keys. It removes system logs to cover tracks and contacts attacker-controlled infrastructure to fetch a custom XMRig Monero miner.

Trend Micro's analysis notes that the same binary family has been iterating since at least May 2024, with each version taking steps to evade antivirus detection. CVE-2026-33017 is not an isolated finding in Langflow's CVE history. CVE-2025-3248, a separate critical RCE with a CVSS score of 9.8, was exploited a year earlier to distribute the Flodrix botnet malware. Both are in the response above.

Langflow is an AI application builder. The developers running exposed Langflow instances are building AI workflows, agents, and automated pipelines. The attack surface is not a generic web server. It is AI application infrastructure specifically.


The two-signal architecture in a single response#

This response is the direct inverse of the Mastra supply chain attack documented in the detection ledger.

The Mastra response returned risk_state: none with supply_chain.compromised: true. No CVEs. Clean on vulnerability signals. Compromised via a malicious dependency injected by a hijacked maintainer account.

The Langflow response returns risk_state: critical with supply_chain.compromised: false. No supply chain compromise. Clean on the supply chain signal. Compromised via a critical unauthenticated RCE in the product itself.

A security layer that only checks CVEs would have passed Mastra clean and correctly flagged Langflow.

A security layer that only checks supply chain signals would have passed Langflow clean and correctly flagged Mastra.

Attestd checks both in the same API call. The two signals are not redundant. They catch different attack classes. An autonomous system that needs to reason about the security of its dependencies needs both, because attackers use both.


Why AI application endpoints are a named target#

Trend Micro's analysis frames the Langflow exploitation directly: "A Langflow vulnerability gives commodity cryptominer operators a new front door into systems running AI application infrastructure."

This is not a novel observation in 2026. Exposed AI application endpoints are a recurring target because they tend to run with broad network access, elevated permissions to internal services, and credentials to LLM APIs, databases, and cloud infrastructure. A cryptominer is the commodity payload. The access gained through an unauthenticated RCE on a Langflow instance is worth substantially more in the hands of a more sophisticated attacker.

The supply chain attacks documented in the detection ledger, Mastra, Axios, the Fake Font campaign, target developers building AI systems. The CVE attacks, Langflow here, Flowise in 2025, target the AI application endpoints those developers deploy. Both layers need continuous monitoring. Both layers are in Attestd.


Coverage#

Langflow is covered. The response above is live from the production API as of June 30, 2026. The fixed version is 1.3.0. If you are running an exposed Langflow instance at any version below 1.3.0, the response will return risk_state: critical and actively_exploited: true.

API documentation is at attestd.io/docs.