CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Langflow unauthenticated RCE vulnerability (CVE-2026-33017) exploited within 20 hours of disclosure

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

CISA formally confirmed active exploitation of the Langflow unauthenticated RCE vulnerability (CVE-2026-33017) on March 26, 2026, adding it to the Known Exploited Vulnerabilities (KEV) catalog and mandating U.S. federal agencies to apply mitigations or stop using the product by April 8, 2026. Threat actors exploited the flaw within 20–24 hours of its March 17, 2026 disclosure, progressing from automated scanning to staged Python payload delivery and credential harvesting (including .env and .db files) despite the absence of public PoC code. The vulnerability, with a CVSS score of 9.3, affects all Langflow versions prior to and including 1.8.1 and stems from an unsandboxed exec() call in the /api/v1/build_public_tmp/{flow_id}/flow endpoint. CISA did not attribute exploitation to ransomware actors but emphasized the risk to AI workflows given Langflow’s widespread adoption, including 145,000 GitHub stars. Endor Labs reported that attackers likely reverse-engineered exploits from the advisory details, underscoring the accelerating weaponization timeline. Mitigation guidance includes upgrading to version 1.9.0+ or disabling the vulnerable endpoint, restricting internet exposure, monitoring outbound traffic, and rotating all associated credentials.

Timeline

  1. 20.03.2026 12:20 3 articles · 7d ago

    Unauthenticated RCE in Langflow exploited within 20 hours of advisory publication

    CISA officially confirmed active exploitation of CVE-2026-33017 on March 26, 2026, adding it to the Known Exploited Vulnerabilities (KEV) catalog and issuing a binding operational directive requiring U.S. federal agencies to apply mitigations or stop using the product by April 8, 2026. Endor Labs reported detailed exploitation timelines: automated scanning began 20 hours after the March 17 advisory, exploitation via custom Python scripts at 21 hours, and credential/data harvesting (including .env and .db files) at 24 hours. Attackers likely developed exploits directly from advisory details due to the absence of public PoC code. CISA did not attribute exploitation to ransomware actors but highlighted the severity given Langflow’s 145,000 GitHub stars and adoption across the AI workflow ecosystem. Mitigation guidance includes upgrading to Langflow 1.9.0+, disabling the vulnerable endpoint, restricting internet exposure, monitoring outbound traffic, and rotating API keys, database credentials, and cloud secrets.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Interlock ransomware leverages Cisco FMC insecure deserialization zero-day (CVE-2026-20131) for root access

A critical insecure deserialization vulnerability in Cisco Secure Firewall Management Center (FMC) Software, tracked as CVE-2026-20131 (CVSS 10.0), is being actively exploited by the Interlock ransomware group to gain unauthenticated remote root access on unpatched systems. The flaw enables unauthenticated remote attackers to bypass authentication and execute arbitrary Java code with root privileges via crafted HTTP requests to a specific endpoint. Exploitation has been observed as a zero-day since January 26, 2026, more than a month before public disclosure and patch availability. Cisco issued its first advisory for CVE-2026-20131 on March 4, 2026, and Amazon Threat Intelligence confirmed active exploitation by Interlock starting in late January. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and ordered federal agencies to patch by March 22, 2026, under BOD 22-01. Post-exploitation tooling includes custom JavaScript/Java RATs, PowerShell reconnaissance scripts, Linux reverse proxy configuration tools, memory-resident web shells, and ConnectWise ScreenConnect for persistence. Compromised environments are leveraged for ransomware operations and secondary monetization. AWS’s detailed analysis reveals additional post-exploitation components such as a memory-resident backdoor intercepting HTTP requests, Volatility for RAM credential parsing, and Certify for Active Directory Certificate Services misconfiguration exploitation.

Open in new tab

CISA Adds SolarWinds, Ivanti, and Workspace One Vulnerabilities to KEV Catalog

CISA has added three vulnerabilities to its KEV catalog due to evidence of active exploitation. These include CVE-2021-22054 in Omnissa Workspace One UEM, CVE-2025-26399 in SolarWinds Web Help Desk, and CVE-2026-1603 in Ivanti Endpoint Manager. The vulnerabilities are being exploited by threat actors, including the Warlock ransomware crew. Federal agencies are ordered to apply patches by March 12 and March 23, 2026. CVE-2026-1603 can be exploited by remote threat actors to bypass authentication and steal credential data in low-complexity cross-site scripting attacks that require no user interaction. Ivanti patched CVE-2026-1603 one month ago with the release of Ivanti EPM 2024 SU5, but has not received reports of exploitation prior to public disclosure.

Open in new tab

TeamPCP Worm Exploits Cloud Infrastructure for Criminal Operations

TeamPCP, a threat cluster active since November 2025, has conducted a worm-driven campaign targeting cloud-native environments to build malicious infrastructure. The campaign, observed around December 25, 2025, leveraged exposed Docker APIs, Kubernetes clusters, Ray dashboards, Redis servers, and the React2Shell vulnerability (CVE-2025-55182) to compromise servers for data exfiltration, ransomware deployment, extortion, and cryptocurrency mining. The group operates as a cloud-native cybercrime platform, using misconfigured cloud services and known vulnerabilities to create a self-propagating criminal ecosystem. TeamPCP's activities include deploying various payloads such as proxy.sh, scanner.py, kube.py, react.py, and pcpcat.py to exploit and expand their reach within cloud environments. The group's operations are opportunistic, targeting AWS, Microsoft Azure, Google, and Oracle cloud environments, and have resulted in data leaks and extortion activities. The group has compromised at least 60,000 servers worldwide and has exfiltrated more than two million records from JobsGO, a recruitment platform in Vietnam.

Open in new tab

Critical Pre-Auth RCE Vulnerability in BeyondTrust Remote Support and PRA

BeyondTrust has patched a critical pre-authentication remote code execution (RCE) vulnerability (CVE-2026-1731, CVSS 9.9) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw could allow unauthenticated attackers to execute OS commands in the context of the site user, leading to unauthorized access, data exfiltration, and service disruption. The vulnerability affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates if not subscribed to automatic updates. The vulnerability was discovered on January 31, 2026, with approximately 11,000 exposed instances identified, including around 8,500 on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction. In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability. Attackers have begun actively exploiting the CVE-2026-1731 vulnerability in the wild, abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. A proof-of-concept exploit targeting the /get_portal_info endpoint was published on GitHub. Threat actors have been observed exploiting CVE-2026-1731 to conduct network reconnaissance, deploy web shells, establish command-and-control (C2) channels, install backdoors and remote management tools, perform lateral movement, and exfiltrate data. The attacks have targeted financial services, legal services, high technology, higher education, wholesale and retail, and healthcare sectors across the U.S., France, Germany, Australia, and Canada. The vulnerability enables attackers to inject and execute arbitrary shell commands via the affected 'thin-scc-wrapper' script through the WebSocket interface. Attackers have deployed multiple web shells, including a PHP backdoor and a bash dropper, to maintain persistent access. Malware such as VShell and Spark RAT have been deployed as part of the exploitation. Out-of-band application security testing (OAST) techniques have been used to validate successful code execution and fingerprint compromised systems. Sensitive data, including configuration files, internal system databases, and a full PostgreSQL dump, have been exfiltrated to an external server. CVE-2026-1731 and CVE-2024-12356 share a common issue with input validation within distinct execution pathways. CVE-2026-1731 could be a target for sophisticated threat actors, similar to CVE-2024-12356 which was exploited by China-nexus threat actors like Silk Typhoon. CISA has confirmed that CVE-2026-1731 has been exploited in ransomware campaigns. CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) catalog on February 13 and gave federal agencies three days to apply the patch or stop using the product. Proof-of-concept (PoC) exploits for CVE-2026-1731 became available shortly after the initial disclosure, and exploitation was detected on January 31, making it a zero-day vulnerability for at least a week. CISA has activated the 'Known To Be Used in Ransomware Campaigns?' indicator in the KEV catalog for CVE-2026-1731. Customers of the cloud-based application (SaaS) had the patch applied automatically on February 2. Self-hosted instance customers need to either enable automatic updates or manually install the patch. For Remote Support, the recommended version is 25.3.2. For Privileged Remote Access, the recommended version is 25.1.1 or newer. Customers still using RS v21.3 and PRA v22.1 are recommended to upgrade to a newer version before applying the patch.

Open in new tab

LangChain Core Serialization Injection Vulnerability (CVE-2025-68664)

A critical serialization injection vulnerability in LangChain Core (CVE-2025-68664) allows attackers to steal secrets and manipulate LLM responses. The flaw, dubbed LangGrinch, arises from improper escaping of dictionaries with 'lc' keys during serialization. The vulnerability affects multiple versions of LangChain Core and LangChain.js, with patches available. The issue enables secret extraction from environment variables, instantiation of classes in trusted namespaces, and potential arbitrary code execution via Jinja2 templates. The patch introduces restrictive defaults and blocks Jinja2 templates by default. The most common attack vector is through LLM response fields like additional_kwargs or response_metadata, which can be controlled via prompt injection and then serialized/deserialized in streaming operations.

Open in new tab