Hackers Exploited This AI Platform in 20 Hours—One HTTP Request Was All It Took

A Single Curl Command Is All It Takes

Langflow is an open source platform used by thousands of developers and companies to build AI agents and retrieval augmented generation pipelines without writing code. Its visual drag and drop interface connects language models, data sources, and tools into automated workflows. On March 17, 2026, a security advisory revealed that every publicly accessible Langflow instance was vulnerable to complete takeover. The flaw, tracked as CVE-2026-33017 with a CVSS score of 9.3, requires no authentication and can be triggered with a single HTTP POST request.

Security researcher Aviral Srivastava, who discovered and reported the vulnerability on February 26, described the exploitation as "extremely easy." That assessment proved accurate. According to Sysdig's threat research team, the first exploitation attempts appeared in the wild within 20 hours of the advisory's publication. No public proof of concept code existed at the time. Attackers reverse engineered working exploits directly from the advisory description and began scanning the internet for vulnerable instances.

How the Vulnerability Works

The flaw exists in Langflow's /api/v1/build_public_tmp/{flow_id}/flow endpoint, which is designed to build public flows. When an attacker supplies a specially crafted data parameter in the POST request, the endpoint uses the attacker controlled flow data instead of the stored flow definition. That flow data can contain arbitrary Python code embedded in node definitions. The code is passed directly to Python's exec() function without any sandboxing or input validation.

The result is unauthenticated remote code execution. An attacker who knows the URL of any Langflow instance can run arbitrary commands on the underlying server. There is no login required, no token needed, and no rate limiting to slow the attack down. Every version of Langflow through 1.8.1 is affected.

What Attackers Are Doing With It

The exploitation has moved quickly from automated scanning to targeted credential theft. Sysdig's analysis documents a clear escalation pattern in observed attacks:

• Initial reconnaissance: extracting /etc/passwd to identify system users and confirm code execution
• Environment variable harvesting: dumping all environment variables to capture API keys, database credentials, and cloud provider tokens
• Configuration file enumeration: scanning for .env files, database connection strings, and application secrets
• Second stage payload delivery: deploying persistent backdoors and additional tooling for long term access

Because Langflow instances typically connect to language model APIs, vector databases, and other backend services, a compromised server often provides access to an organization's entire AI infrastructure. The API keys stored in environment variables can grant access to OpenAI, Anthropic, or other AI provider accounts, potentially running up significant charges or exfiltrating proprietary training data.

Why AI Tooling Is a Growing Target

Langflow is not the first AI platform to face this kind of vulnerability, and it will not be the last. The rapid adoption of AI development tools has created a new category of infrastructure that often sits outside traditional security monitoring. Many Langflow instances are deployed by individual developers or small teams who expose them to the internet for convenience, without the network segmentation or access controls that would protect a production database server.

The 20 hour exploitation timeline is particularly alarming. It demonstrates that attackers are actively monitoring AI platform advisories and can weaponize vulnerabilities faster than most organizations can deploy patches. This pattern mirrors what researchers have observed with browser based attacks, where the speed of exploitation consistently outpaces the speed of defense. Similarly, supply chain attacks on developer tools are accelerating—malicious npm packages recently used blockchain infrastructure for command and control, showing that the tools developers trust are becoming the tools that compromise them.

What You Should Do Now

If you run Langflow in any capacity, treat this as an emergency. The following steps should be taken immediately:

• Update to version 1.9.0.dev8 or later, which contains the fix for CVE-2026-33017
• Audit environment variables and secrets on any instance that was publicly accessible. Assume they have been compromised and rotate all API keys, database passwords, and cloud credentials
• Check server logs for POST requests to the /api/v1/build_public_tmp/ endpoint, which may indicate exploitation attempts
• Place Langflow behind an authenticated reverse proxy so the application is never directly exposed to the internet
• Monitor for unusual outbound connections from the server, which may indicate an active backdoor

The broader lesson applies to every AI tool in your stack. Any platform that accepts user input and executes code, especially one designed to make that process easy, is a high value target. If it is reachable from the internet without authentication, it is a matter of time before someone finds it.