Langflow AI Framework Vulnerability Exploited Within 20 Hours

A critical vulnerability (CVE-2026-33017) in Langflow, an open-source framework for building AI agents, was exploited by threat actors approximately 20 hours after its public disclosure. This remote code execution flaw, with a CVSS score of 9.3, allows unauthenticated attackers to execute arbitrary code due to the use of attacker-supplied flow data in public flows. Attackers have leveraged this exploit to steal API keys and credentials, potentially setting the stage for supply chain attacks targeting AI development pipelines. Exploitation attempts were observed from multiple unique IP addresses, with initial mass scans followed by active reconnaissance and data exfiltration. The rapid exploitation timeline underscores the critical importance of immediate patching and the growing threat landscape surrounding AI development tools. Organizations using Langflow must update to the patched version immediately and rotate all potentially compromised credentials.