Security 9 min read

Langflow Exploited in 20 Hours: The AI Framework Attack Surface

Langflow's critical RCE was weaponized in 20 hours. Combined with new LangChain and LangGraph CVEs, AI framework infrastructure is under active attack.

#langflow#langchain#langgraph#rce#supply-chain#ai-frameworks#vulnerability

We spend a lot of time on this blog talking about malicious skills — poisoned instructions, tampered packages, cascading credential theft. These are real threats and they deserve the attention. But there’s a layer of risk underneath the skill supply chain that doesn’t get enough coverage: the frameworks and platforms that AI agents run on top of.

This week brought two reminders of why that layer matters.

Langflow: From Advisory to Exploitation in 20 Hours

On March 17, 2026, a critical vulnerability was disclosed in Langflow, the open-source visual framework for building AI agent workflows. Langflow has over 145,000 GitHub stars and is widely used across the AI development ecosystem for building RAG pipelines, chatbots, and agentic workflows.

The vulnerability, CVE-2026-33017 (CVSS 9.3), is an unauthenticated remote code execution flaw in the /api/v1/build_public_tmp/{flow_id}/flow endpoint. An attacker can execute arbitrary Python code on any exposed Langflow instance with a single HTTP POST request. No credentials required. No multi-step chain. One request.

Twenty hours after the advisory was published, Sysdig’s Threat Research Team observed the first exploitation attempts in the wild. No public proof-of-concept code existed yet. Attackers built working exploits directly from the advisory description.

Sysdig’s honeypot data captured a clear three-phase progression:

Phase 1 (hours 20-21): Automated scanning. Four source IPs sent identical payloads using privately authored Nuclei templates — executing id, base64-encoding the output, and exfiltrating it to callback servers. The scanning was automated and at scale.

Phase 2 (hours 21-24): Custom exploitation. A second class of attackers appeared using custom Python scripts, progressing from directory listing and credential file enumeration to staging second-phase droppers from pre-positioned infrastructure.

Phase 3 (hours 24-30): Data harvesting. The most advanced operators dumped full environment variables, enumerated .db and .env files, and extracted application secrets — including database connection strings and API keys for connected AI services.

CISA added CVE-2026-33017 to its Known Exploited Vulnerabilities catalog on March 25, giving federal agencies until April 8 to patch. This is the second Langflow RCE to make the KEV — CVE-2025-3248, a similar unauthenticated RCE flaw, was added in May 2025.

The same product. The same vulnerability class. Twice in less than a year.

LangChain and LangGraph: Three Classic Bugs, One AI Framework

Two days before CISA’s Langflow warning, security researcher Vladimir Tokarev at Cyera published “LangDrained” — documenting three vulnerabilities in LangChain and LangGraph, the most widely used AI framework family with approximately 847 million cumulative PyPI downloads.

Each vulnerability exposes a different class of data through a different classic attack technique:

CVE-2026-34070 (CVSS 7.5) — Path traversal in prompt loading. LangChain’s load_prompt() function accepts file paths from configuration without any validation. No canonicalization, no .. sequence checks, no base directory restriction. An attacker who controls a prompt template configuration can read arbitrary files from the server — Docker configs, Azure access tokens, SSH keys, .env files. A textbook CWE-22 path traversal, living in AI infrastructure.

CVE-2025-68664 (CVSS 9.3) — Deserialization of untrusted data. A critical flaw that leaks API keys and environment secrets by tricking LangChain into interpreting input as an already-serialized LangChain object rather than regular user data. This is CWE-502 — a vulnerability class that has appeared in security textbooks for over a decade.

CVE-2025-67644 (CVSS 7.3) — SQL injection in LangGraph checkpoints. LangGraph’s SQLite checkpoint implementation allows attackers to manipulate SQL queries through metadata filter keys, enabling arbitrary SQL query execution against the conversation database. CWE-89 — SQL injection — arguably the most well-understood web vulnerability in existence.

As The Hacker News reported, exploitation of these flaws gives attackers three independent paths to drain sensitive enterprise data: filesystem files, environment secrets, and conversation histories.

The irony is hard to miss. These aren’t novel AI-specific attack techniques. They’re path traversal, deserialization, and SQL injection — vulnerabilities that OWASP has been documenting since 2003. They’re living in the frameworks that power millions of AI deployments because the AI ecosystem is building faster than it’s auditing.

The Pattern: AI Infrastructure Inherits Classic Vulnerabilities

Langflow and LangChain aren’t isolated cases. They represent a structural pattern: AI frameworks adopt the same architectural decisions as traditional web applications (REST APIs, file loading, database persistence, serialization) and inherit the same vulnerability classes as a result.

What makes this particularly dangerous in the AI context is the data that flows through these systems:

  • Model API keys — stored in environment variables, readable through path traversal or deserialization attacks
  • Cloud credentials — for AWS, GCP, Azure, used by agents to access resources
  • Conversation histories — containing proprietary business logic, customer data, and internal discussions
  • RAG document stores — often containing confidential enterprise documents
  • Prompt templates — encoding institutional knowledge and business processes

A path traversal vulnerability in a traditional web app might expose a config file. The same vulnerability in an AI framework exposes the keys to every model provider, cloud service, and data store the agent touches. The blast radius is categorically larger.

Cyera’s framing is precise: “LangChain doesn’t exist in isolation. It sits at the center of a massive dependency web that stretches across the AI stack. When a vulnerability exists in LangChain’s core, it ripples outward through every downstream library, every wrapper, every integration that inherits the vulnerable code path.”

What This Means for Skill Security

If you’ve been following this blog, you know we focus on the skill supply chain — ensuring that the instructions and code loaded into your AI agent haven’t been tampered with and don’t contain malicious behavior. That work matters. But Langflow and LangChain illustrate a complementary threat that skill-level scanning can’t address.

Consider the attack surface in layers:

  1. The skill layer — the instructions and auxiliary code your agent loads. This is where ClawHavoc and SkillJect operate. Pre-publish scanning and dual-side verification protect this layer.

  2. The framework layer — LangChain, LangGraph, Langflow, and similar tools that provide the runtime environment for agent workflows. Vulnerabilities here can be exploited regardless of whether your skills are verified.

  3. The dependency layer — the transitive packages these frameworks pull in. This is where supply chain attacks like LiteLLM and Telnyx strike.

A verified skill running on a vulnerable Langflow instance is still compromised. The skill might be clean, but the platform it’s running on is executing attacker code. This isn’t a failure of skill verification — it’s a different threat at a different layer. And both layers need defense.

The Speed Problem

The most alarming aspect of CVE-2026-33017 isn’t the vulnerability itself — unauthenticated RCE flaws in web-facing applications are, unfortunately, common. It’s the timeline.

Twenty hours from advisory to exploitation. No public PoC required. Attackers built working exploits from the advisory text alone.

This fits a broader trend. Zero Day Clock data shows the median time-to-exploit has collapsed from 771 days in 2018 to hours in recent years. By 2023, 44% of exploited vulnerabilities were weaponized within 24 hours of disclosure. The median time for organizations to deploy patches is approximately 20 days.

That gap — hours to exploit, weeks to patch — is the window attackers operate in. For AI infrastructure specifically, the window is even more dangerous because:

  • Many Langflow and LangChain deployments are developer-managed, not enterprise-IT-managed
  • AI tools are often deployed quickly for experimentation and left running without formal patch management
  • The data these tools handle (API keys, cloud credentials, conversation logs) has immediate value to attackers

Sysdig’s observation that attackers progressed from scanning to credential harvesting within 30 hours means that any Langflow instance exposed to the internet on March 18 should be treated as potentially compromised.

Practical Takeaways

Patch your AI frameworks immediately. Langflow users should upgrade to version 1.9.0 or later. LangChain users should update to langchain-core >= 1.2.22 (for CVE-2026-34070) and >= 1.2.5 (for CVE-2025-68664). LangGraph users should update langgraph-checkpoint-sqlite to >= 3.0.1 (for CVE-2025-67644).

Don’t expose AI frameworks directly to the internet. Langflow, LangChain servers, and similar tools should sit behind authentication layers and network controls. CVE-2026-33017 exists specifically because an endpoint was publicly accessible by design. If your AI tools must be internet-facing, put them behind a reverse proxy with authentication.

Inventory your AI dependencies. Many organizations don’t know LangChain is in their stack — it’s often a transitive dependency pulled in by another library. Run pip list | grep langchain and pip list | grep langflow across your environments. You can’t patch what you don’t know you’re running.

Rotate credentials if you were exposed. If you ran Langflow 1.8.1 or earlier with internet exposure during the week of March 17, rotate every credential that was accessible to the Langflow process — API keys, database connection strings, cloud credentials, and any secrets stored in environment variables or .env files.

Treat AI framework security as infrastructure security. AI tools deserve the same patch management, access controls, and monitoring as your databases and web servers. The data they handle is at least as sensitive.

The Bigger Picture

The AI security conversation is maturing. A year ago, the focus was almost entirely on model-level risks — jailbreaks, prompt injection, hallucination. Those are real concerns. But the incidents piling up in 2026 paint a more complete picture: the practical attack surface for AI systems includes every layer of the stack, from the skills agents load to the packages they depend on to the frameworks they run on.

Classic AppSec vulnerabilities in AI infrastructure aren’t a new threat category. They’re an old threat category in a new, high-value context. Path traversal reading your model API keys. SQL injection dumping your conversation histories. Deserialization leaking your cloud credentials. The bugs are familiar. The data they expose is not.

Skill verification, dependency scanning, and framework patching aren’t competing priorities. They’re layers of the same defense. Skip any one of them and you’ve left a door open.

Sources:

Related Articles

Security

You're Using Claude Code Skills. Do You Know What's in Them?

Claude Code skills can read files, run commands, and access credentials. What the skill ecosystem gets wrong about security — and how to protect yourself.

 Security

ClawHavoc: 1,184 Malicious Skills and Why Pre-Install Verification Matters

Post-mortem of ClawHavoc — the largest AI skill supply chain attack on record — and what it reveals about the limits of reactive security models.

 Security

How Dual-Side Verification Protects Against Supply Chain Attacks

How SkillSafe dual-side verification works: publisher scans, consumer re-scans, and cryptographic tree hashes that detect tampering before install.