Published
- 4 min read
By Allan D - Editor, AI Security Wire
Langflow RCE Hits CISA KEV as Monero Campaign Targets AI Pipelines
Langflow, the open-source platform for building visual LLM and agent workflows, has an actively exploited remote code execution flaw that earned a spot in CISA’s Known Exploited Vulnerabilities catalog this week. CVE-2026-33017 carries a CVSS 9.8 base score and requires no authentication. If you’re running an exposed Langflow instance and haven’t patched yet, the question isn’t whether someone has looked at it — it’s whether they’ve already run something on it.
What the Bug Is
The vulnerability lives in Langflow’s public flow-build endpoint: /api/v1/build_public_tmp/{flow_id}/flow. This endpoint is designed to let users test AI workflow components and is intentionally accessible without authentication so developers can share flows publicly. The problem is that attacker-controlled input fed through this endpoint gets passed to Python’s exec() function directly, without any sandboxing.
That’s a clean, reliable arbitrary code execution primitive. Send a crafted request, get a shell. No exploit chain required, no gadgets to find. The Python process running Langflow just runs whatever you gave it.
Trend Micro’s threat research team documented active exploitation beginning shortly before June 30. What’s being deployed isn’t particularly sophisticated, but it’s effective and persistent.
The Miner Campaign
The payload being delivered to vulnerable Langflow instances is a Monero cryptominer bundled with several features that suggest a seasoned operator:
Competitor cleanup: One of the first things the miner does is enumerate and kill processes associated with other known mining groups, including Kinsing and WatchDog. This isn’t altruistic — it’s resource competition. The attacker wants full CPU allocation.
Persistence: The campaign installs cron entries to restart the miner if the process is killed. On some hosts, it also modifies systemd unit files.
Lateral spread: If the compromised host has SSH keys in the standard locations, the miner attempts to spread to hosts in known_hosts using those keys. This is opportunistic — it won’t break through proper network controls — but many developer infrastructure environments aren’t segmented tightly enough to stop it.
CISA’s KEV catalog addition confirms that exploitation is happening broadly enough to warrant federal attention. The 72-hour remediation window that applies to federal agencies using Langflow is already in effect.
Why AI Infrastructure Is Getting Targeted
Langflow isn’t the first AI tooling platform to end up in KEV this year, and it won’t be the last. The pattern is consistent: developers build AI pipelines quickly, often on infrastructure that’s accessible externally for testing or demos, and the security review that would catch an exec() call on unauthenticated input doesn’t always happen before deployment.
The attack surface for AI applications is also genuinely new enough that standard security scanning and WAF rules haven’t caught up. A lot of the traffic hitting Langflow’s build endpoints looks like normal API usage — JSON bodies, reasonable HTTP methods — and the malicious requests don’t look different from legitimate flow tests at the network layer.
Cryptominers are also a particularly useful signal for defenders. Unlike ransomware or data theft, miner deployments are noisy: unexpected CPU spikes, unusual process names, outbound connections to mining pool addresses. If you have any visibility into resource utilisation on your AI infra, an active miner campaign will usually show up.
What to Do
The fix is Langflow 1.9.0 or later. If you can’t upgrade immediately:
- Restrict access to Langflow’s API to known-good IP ranges at the network layer
- Put authentication in front of any public-facing Langflow instance at the reverse proxy level, even for endpoints that Langflow itself considers public
- Check running processes for mining tools and review cron entries for unexpected additions
- Look for outbound connections to Monero mining pool addresses (
pool.minexmr.com,xmrpool.eu, and similar) in DNS or firewall logs
The Trend Micro report includes IOCs for the specific miner variant being deployed in this campaign.
References
Frequently Asked Questions
- What is CVE-2026-33017 and why is it rated so severely?
- CVE-2026-33017 is an unauthenticated remote code execution vulnerability in Langflow, rated CVSS 9.8. The root cause is Langflow's public flow-build endpoint passing attacker-controlled data directly to Python's exec() function without any sandboxing or authentication check. Anyone who can reach the API endpoint over the network can run arbitrary code on the host — no credentials required.
- What is Langflow and who uses it?
- Langflow is an open-source platform for visually building LLM-powered applications and agent workflows. It's widely used by development teams building AI pipelines, RAG applications, and multi-agent systems — often running on cloud infrastructure or internal developer tooling servers that may be exposed to the internet.
- What should teams do if they're running a vulnerable Langflow version?
- Upgrade to Langflow 1.9.0 or later immediately, as this is the version that addresses CVE-2026-33017. If an immediate upgrade is not possible, restrict network access to Langflow's API endpoints at the firewall or reverse proxy level so only trusted hosts can reach the service. Audit server logs and running processes for unexpected miner processes or cron entries added after the vulnerability window.