Langflow Code Injection Flaw Actively Exploited — CVE-2026-33017
CISA has added a critical code injection vulnerability in Langflow to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. This is the second Langflow flaw to hit KEV in under a year — CVE-2025-3248 made the list in May 2025 — and this one landed fast.
CVE Details
- CVE ID: CVE-2026-33017
- CVSS Score: 9.3 (Critical)
- Affected Versions: Langflow prior to v1.9.0
- CWEs: CWE-94 (Code Generation), CWE-95 (Injected Directives), CWE-306 (Missing Authentication)
- KEV Added: March 25, 2026
- Federal Remediation Deadline: April 8, 2026
Vulnerability Mechanics
The flaw resides in the POST /api/v1/build_public_tmp/{flow_id}/flow endpoint, which is designed to be unauthenticated because it serves public flows. When an optional data parameter is supplied, the endpoint accepts attacker-controlled flow data containing arbitrary Python code in node definitions. This code is passed directly to exec() with zero sandboxing, resulting in unauthenticated remote code execution.
Security researcher Aviral Srivastava, who discovered and reported the flaw on February 26, 2026, noted that this vulnerability is distinct from CVE-2025-3248, which abused the /api/v1/validate/code endpoint. The root cause however is the same: an unchecked exec() call at the end of the chain.
The researcher also called out why a simple auth fix doesn’t work here: the endpoint is designed to be unauthenticated to support public flows. The real fix is removing the data parameter from the public endpoint entirely, so public flows can only execute stored server-side flow data and never accept attacker-supplied definitions.
Exploitation Timeline
The vulnerability was weaponized within 20 hours of public disclosure — a window that makes standard enterprise patch cycles nearly irrelevant. This aligns with a pattern called out in Rapid7’s 2026 Global Threat Landscape Report: the median time from vulnerability publication to KEV inclusion has dropped from 8.5 days to five days, while the median time for organizations to deploy patches remains approximately 20 days.
Attack Surface Context
Langflow is an open-source, low-code platform for building multi-agent AI and LLM workflows. Because Langflow often integrates with APIs, databases, and internal services, a single compromised instance could act as an entry point into broader enterprise environments. Any internet-exposed Langflow instance running below v1.9.0 is a standing RCE surface.
Detection & Remediation
- Upgrade immediately to Langflow v1.9.0 or later
- Audit environment variables and secrets on any publicly exposed Langflow instance
- Rotate API keys, database passwords, and OAuth tokens as a precaution
- Monitor for unexpected outbound connections from Langflow hosts
- Review logs for anomalous POST requests to
/api/v1/build_public_tmp/endpoints - If patching is not immediately possible, CISA recommends following BOD 22-01 guidance for cloud services or discontinuing use of the product until a verified fix is deployed
Aqua Security Trivy Supply Chain Compromise — CVE-2026-33634
CISA added a supply chain compromise affecting Aqua Security’s Trivy vulnerability scanner to the KEV catalog on March 26, 2026. This is a different category of risk — an attacker compromising the tool that’s supposed to find the attackers.
CVE Details
- CVE ID: CVE-2026-33634
- Vendor: Aqua Security
- Product: Trivy (open-source vulnerability scanner)
- Affected Versions: 0.45.0 through 0.48.2
- Patched Version: 0.48.3 (released March 20, 2026)
- KEV Added: March 26, 2026
- Federal Remediation Deadline: April 16, 2026
Vulnerability Mechanics
Aqua Security Trivy contains an embedded malicious code vulnerability that could allow an attacker to gain access to everything in the CI/CD environment, including all tokens, SSH keys, cloud credentials, database passwords, and any sensitive configuration in memory.
CISA notes this vulnerability involves a supply-chain compromise in a product that may be used across multiple products and environments, and that additional vendor-provided guidance must be followed to ensure full remediation.
This is not a conventional code flaw. The classification as embedded malicious code — rather than a buffer overflow or injection — indicates the concern is integrity of the tool itself, not just a logic error in how it processes input.
Why This Matters Beyond the CVE
As an open-source vulnerability scanner maintained by Aqua Security, Trivy has become a de facto standard for container security scanning, integrating with Kubernetes, Docker, GitHub Actions, and GitLab CI/CD. That ubiquity is precisely what makes this entry significant.
Tooling that developers rely on to inspect code, containers, and dependencies can itself become part of the attack surface, raising the stakes for build pipelines, CI/CD workflows, and artifact scanning environments. Organizations typically deploy vulnerability scanners with elevated trust — they often run with broad read access to secrets, registries, and infrastructure APIs. A compromised scanner doesn’t just skip finding vulnerabilities; it becomes the threat actor’s foothold.
Following the KEV addition, 44 Aqua Security repositories were defaced in connection with the Trivy supply chain breach — confirming this isn’t a theoretical risk.
Detection & Remediation
- Upgrade Trivy immediately to v0.48.3 or later
- Treat any system where Trivy v0.45.0–v0.48.2 ran as potentially compromised — assume credential theft
- Rotate all CI/CD secrets, cloud credentials, SSH keys, and database passwords exposed to Trivy during the affected version window
- Audit outbound network connections from build pipeline hosts during the affected window
- Review artifact integrity — any scanner output from the affected versions should be treated as untrustworthy
- Organizations using open-source security tools must establish processes for actively tracking security advisories across all their dependencies rather than relying on vendor notifications
