Langflow AI Pipeline Compromise in 20 Hours

Executive Summary

The newly disclosed CVE‑2026‑33017 exposed Langflow, an open‑source visual framework for AI agents, to unauthenticated remote code execution via its public flow build endpoint. Sysdig’s Threat Research Team observed the first exploitation attempts within 20 hours of the advisory’s publication. Attackers leveraged a single HTTP POST request to inject arbitrary Python code, exfiltrate secrets, and deploy secondary payloads, demonstrating how quickly modern threat actors can weaponize vulnerabilities without public proof‑of‑concepts.

Technical Overview

Langflow’s REST API includes POST /api/v1/build_public_tmp/{flow_id}/flowendpoint, intended for unauthenticated users to build public flows. The endpoint accepts JSON payloads containing node definitions, and when a node’s script field contains Python code, that code is executed server‑side without sandboxing. The vulnerability allows attackers to supply malicious code, trigger arbitrary shell commands (via os.popen()), and exfiltrate data.

Observed Attack Phases

  • Phase 1 – Automated Scanning
    • Multiple IPs (77.110.106.154, 209.97.165.247, 188.166.209.86, 205.237.106.117) sent identical payloads within minutes.
    • Payload executed id, base64‑encoded the output, and sent it to an interactsh callback server.
    • Requests included Cookie: client_id=nuclei-scanner and named the flow “nuclei-cve-2026-33017.”
    • Indicators that a nuclei template was used, though no public template existed.
  • Phase 2 – Custom Exploit Scripts
    • IP 83.98.164.238 used Python‑requests to perform directory listing, credential enumeration, and system fingerprinting.
    • Executed a stage‑2 dropper from http://173.212.205.251:8443/z, indicating a pre‑prepared exploitation toolkit.
  • Phase 3 – Data Harvesting
    • IP 173.212.205.251 performed extensive environment variable dumps, file system enumeration, and extraction of .env files containing database connection strings and cloud credentials.
    • All exfiltration routed to C2 server 143.110.183.86:8080.

Indicators of Compromise

  • Source IPs: 77.110.106.154, 209.97.165.247, 188.166.209.86, 205.237.106.117, 83.98.164.238, 173.212.205.251.
  • C2 and staging infrastructure: 143.110.183.86:8080, 173.212.205.251:8443.
  • Interactsh callback domains: numerous subdomains on .oast.live, .oast.me, .oast.pro, .oast.fun.
  • Outbound DNS lookups to offensive‑security domains.

Recommendations for Defenders

  • Apply the Langflow patch immediately. If unavailable, restrict network access to the /api/v1/build_public_tmp endpoint or disable public flow building.
  • Audit all publicly exposed Langflow instances. Rotate API keys, database passwords, and cloud credentials.
  • Monitor for outbound connections to unusual ports or known callback services such as oastify.com, interact.sh, dnslog.cn.
  • Implement firewall rules or a reverse proxy with authentication to shield Langflow deployments from direct internet exposure.
  • Inventory AI/ML tooling (Langflow, n8n, etc.) across the organization. Apply least privilege and ensure regular security reviews.
  • Deploy runtime detection solutions (Falco, Sysdig Secure) with rules for os.popen() usage, file read of .env, and outbound HTTP connections to unfamiliar domains.

Conclusion

CVE‑2026‑33017 showcases the accelerated weaponization cycle that now characterizes critical vulnerabilities. Attackers can build functional exploits from the advisory text alone, often before a public proof‑of‑concept is released. The 20‑hour window between disclosure and active exploitation underscores the need for rapid patch deployment, runtime monitoring, and comprehensive security hygiene around AI/ML platforms.

Leave a Reply

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading