FHN 
A critical security vulnerability, CVE-2026-33017, has been discovered in Langflow, an open-source platform used to build AI workflows, large language model (LLM) applications, and Retrieval-Augmented Generation (RAG) pipelines. Researchers report that the flaw is already being actively exploited, allowing attackers to execute arbitrary Python code on vulnerable servers without requiring authentication.
Because Langflow is commonly integrated with AI services, databases, and cloud platforms, successful exploitation could expose sensitive data and provide attackers with extensive control over affected environments.
How the Vulnerability Is Exploited
The vulnerability exists in a publicly accessible API endpoint responsible for building workflow components. Due to insufficient input validation, attackers can inject malicious Python code into specially crafted requests. The injected code is then executed on the server, enabling full remote code execution.
Security researchers observed exploitation attempts within hours of the vulnerability becoming public. Rather than relying on publicly available proof-of-concept exploits, attackers quickly developed their own techniques based on details released in the security advisory.
Early attacks focused on identifying vulnerable servers and executing basic system commands. As the campaign evolved, attackers expanded their activity to collect sensitive information, inspect server environments, and download additional malicious payloads.
Active Exploitation Raises Security Concerns
Researchers found that attackers attempted to access configuration files, database information, API keys, cloud credentials, and other sensitive resources stored on compromised systems. Since Langflow environments often connect to external AI services and cloud infrastructure, stolen credentials could enable further attacks beyond the initially compromised server.
The investigation also revealed coordinated attack infrastructure, with multiple threat actors using similar command-and-control servers and data exfiltration techniques. Temporary callback domains were frequently used to verify successful exploitation while avoiding detection.
Recommended Actions
- Update Langflow to the latest patched version immediately.
- Restrict public access to Langflow instances whenever possible.
- Monitor systems for unusual API requests and unexpected command execution.
- Review cloud credentials, API keys, and environment files for potential exposure.
The rapid exploitation of CVE-2026-33017 demonstrates how quickly threat actors weaponize newly disclosed vulnerabilities. Organizations operating internet-facing AI applications should prioritize timely patching, continuous monitoring, and network segmentation to reduce the risk of compromise.
Ioc
Source IPs
| IP | Location (Geo) | ASN / Provider | Observed Activity |
|---|---|---|---|
| 77.110.106.154 | DE (Frankfurt) | AEZA GROUP LLC | Nuclei scan against Langflow, Interactsh-based callback RCE |
| 209.97.165.247 | SG (Singapore) | DigitalOcean | Nuclei scan, Interactsh callback test of id command |
| 188.166.209.86 | SG (Singapore) | DigitalOcean | Nuclei scan, Interactsh callback, identical Python RCE payload |
| 205.237.106.117 | FR (Paris) | PUSHPKT OU | Nuclei scan with rotated User-Agent strings, Interactsh exfil |
| 83.98.164.238 | NL (Lelystad) | Accenture B.V. | Custom exploit script, recon (ls, cat /etc/passwd), stage-2 |
| 173.212.205.251 | FR (Lauterbourg) | Contabo GmbH | Custom exploit, env/credential harvesting, dropper hosting |
C2 and Staging Infrastructure
| Indicator | Type | Geo / Provider | Context |
|---|---|---|---|
| 143.110.183.86:8080 | C2 server | IN, DigitalOcean | Receives base64-encoded exfiltrated command output |
| 173.212.205.251:8443 | Dropper host | FR, Contabo GmbH | Serves stage-2 payload from path /z |
Malicious Dropper URLs
| URL | Role | Notes |
|---|---|---|
| http://143.110.183.86:8080/ | C2 / exfil endpoint | Receives HTTP exfil from Python RCE |
| http://173.212.205.251:8443/z | Stage-2 dropper | Bash-executed payload delivery |
Interactsh Callback Domains (Samples)
| Domain | TLD | Usage |
|---|---|---|
| d6tcpc6flblph01gdcb0ku9ixih393m54.oast.live | .oast.live | OOB validation of id command output |
| d6tcpe7nsv6kk9rdrpggi37zmjfxw9imr.oast.me | .oast.me | Automated Nuclei-driven callback |
| d6td5s9qte0bea7273e0wuou77jjx77uk.oast.pro | .oast.pro | RCE payload result exfiltration |
| d6tgbe1qte0a8rkffb3gqabqm8517exd3.oast.fun | .oast.fun | Ephemeral callback for scanning activity |
About the Author
