Twenty hours. That's how long it took attackers to start exploiting CVE-2026-33017, a critical unauthenticated remote code execution flaw in Langflow, the open-source visual builder a lot of teams use to prototype LLM agents and RAG pipelines. Once in, they weren't just poking around — they were dropping Monero miners, disabling host security controls, and harvesting SSH keys for lateral movement.
The bug is almost boring, which is the point
The vulnerable endpoint, POST /api/v1/build_public_tmp/{flow_id}/flow, takes an attacker-controlled code field and evaluates it as Python directly on the server, with no authentication check. CVSS 9.3. That alone would be bad. What makes it worse is that Langflow ships with AUTO_LOGIN enabled by default, which silently grants any unauthenticated visitor a superuser token and the ability to create a public flow on demand — exactly the access needed to reach the vulnerable endpoint. The default config is the exploit chain's first step.
This affects every Langflow version before 1.9.0.
What the attackers actually did with it
Trend Micro and reporting from The Hacker News describe a 19-day campaign against exposed Langflow instances: XMRig-based Monero mining, disabled security tooling, persistence mechanisms to survive reboots, and SSH key harvesting to pivot beyond the single compromised box. That last part is what turns a nuisance into an incident — a Langflow server nobody was watching becomes a foothold into the rest of the network.
Why AI tooling keeps doing this
This isn't really about Langflow being sloppier than other software. Agent-orchestration frameworks get stood up fast, often by data science or product teams outside the usual security review process, and the defaults are tuned to minimize setup friction for a developer trying to get a demo running — not to minimize attack surface. Auto-login and code-execution-as-a-feature are convenient right up until the server is reachable from the internet, which happens more often than anyone plans for.
Expect more of this. Langflow, adjacent agent-orchestration tools, and vector databases are new enough that they haven't been through the years of adversarial pressure that hardened traditional web frameworks.
Fix it now, not on the next patch cycle
Upgrade to Langflow 1.9.0 or later, set AUTO_LOGIN=false, and get the instance off the public internet — behind a VPN or an authenticated reverse proxy, not directly exposed. Check the service account Langflow runs under and cut its privileges if they're broader than needed. Then look for signs it's already too late: unexpected CPU load, unfamiliar cron jobs or systemd services, and SSH keys in authorized_keys you don't recognize.
If your org has adopted Langflow or anything like it, put it in the same vulnerability scanning and exposure-management rotation as everything else — the mistake isn't running the tool, it's treating "AI infrastructure" as a category that doesn't need the same scrutiny as a normal exposed service.