Langflow CVE-2026-33017: CISA’s First AI Agent in KEV CISA added Langflow to its Known Exploited Vulnerabilities catalog on July 7, 2026, marking the first AI agent orchestration platform in KEV after two actively exploited vulnerabilities were discovered. The flaws, CVE-2026-33017 (unauthenticated RCE) and CVE-2026-55255 (credential theft via IDOR), enabled attackers to compromise over 7,000 servers, steal API keys, deploy cryptominers, and establish persistent C2 infrastructure. Federal agencies were ordered to patch by July 10, highlighting the growing attack surface of AI infrastructure. CISA’s Known Exploited Vulnerabilities catalog has long been reserved for enterprise stalwarts — Adobe, Apache, Microsoft. On July 7, 2026, Langflow broke that pattern. The visual AI workflow builder became the first AI agent orchestration platform ever added to KEV, with two actively exploited CVEs: one that gives attackers unauthenticated remote code execution, and one that lets them quietly drain LLM API keys from other users’ flows. Federal agencies had until July 10 to patch. If you run Langflow in production, you are not ahead of this. What Langflow Is and Why Attackers Targeted It Langflow is the dominant open-source platform for building visual AI pipelines — RAG applications, multi-agent workflows, LLM chains. With 149,000+ GitHub stars and over 15 million PyPI downloads, it runs in thousands of production environments. Enterprises use it precisely because it makes connecting LLMs, vector databases, and cloud services easy. That convenience has a cost: flow configurations embed API keys directly in JSON. OpenAI keys, Anthropic keys, AWS credentials, database connection strings — all sitting in flow files, on shared instances, often internet-accessible. That is the attack surface. Attackers found it. CVE-2026-33017: One POST Request, Full Server Compromise CVSS 9.8 Langflow’s public flow sharing feature allows flows to be built via /api/v1/build public tmp/{flow id}/flow without authentication. The endpoint accepts an optional data parameter — intended for sharing flow configurations. The problem: when that parameter is supplied, the server uses the attacker’s data instead of the stored flow, and Langflow components are Python objects. Attacker-controlled Python code in node definitions goes directly to exec with no sandboxing. One unauthenticated HTTP POST. Complete system compromise. Exploitation began within 20 hours of public disclosure. Approximately 7,000 servers were attacked. The fix, shipped in Langflow 1.9.0, removes the data parameter from the endpoint entirely — stored flow only, no external input. CVE-2026-55255: The Quieter Credential Thief CVE-2026-55255 carries a lower CVSS score than the RCE, which meant some teams deprioritized it. They should not have. Sysdig’s analysis https://www.sysdig.com/blog/understanding-langflow-cve-2026-55255-and-why-higher-cvss-vulnerabilities-arent-always-the-most-exploited of the active campaign found this IDOR was more heavily used for credential harvesting precisely because it is stealthy. The flaw is in helpers/flow.py : the get flow by id or endpoint name function fetches flows by UUID with no ownership check. An attacker with any authenticated Langflow account — including a free one — enumerates /api/v1/flows/ to collect all flow UUIDs across the instance, then replays those UUIDs at /api/v1/responses to execute any user’s flow. Attackers injected “leak api keys” prompts into hijacked flows and watched the credentials pour out. Fixed in 1.9.2. What the Active Campaign Stole and Deployed Between June 22 and 25, 2026, attackers chained both vulnerabilities in a sustained campaign documented by Sysdig. The RCE dumped process environment variables, capturing AWS ACCESS KEY ID and AWS SECRET ACCESS KEY directly. Those keys powered cloud reconnaissance: S3 bucket listing, EC2 enumeration, IAM identity probing, logging and cost service checks. The RCE also deployed KeyHunter — a persistent NATS-based C2 worker installed under /opt/keyhunter-worker/ as a systemd service, configured to survive reboots on both x86 64 and aarch64 hosts. On a separate track, a Monero cryptominer was deployed: it runs a 39-entry rival-miner kill list, disables host security controls, and spreads via reused SSH keys. One exposed Langflow instance becomes a persistent, self-spreading botnet node. The Bigger Picture: AI Infrastructure Is Now Primary Attack Surface CISA does not add software to KEV casually. https://www.cisa.gov/known-exploited-vulnerabilities-catalog The Langflow entries are a formal signal: AI pipeline tools are critical infrastructure, and they will be treated accordingly. This is not an isolated incident. July 2026 has produced GuardFall shell injection across AI coding agents , GhostApproval approval dialog bypass enabling RCE , PraisonAI nine CVEs, two CVSS 10.0 , and the Friendly Fire attack pattern against AI code reviewers — all within the same month. The pattern is clear. Credentials embedded in AI workflows, agents with broad system permissions, and internet-exposed orchestration platforms are the new frontier for opportunistic attackers. If you are building on AI infrastructure, its security posture is now your security posture. What to Do Now Update Langflow to 1.9.2 or later immediately. This fixes both CVEs. Run pip install --upgrade langflow , pull the latest Docker image, or use the Desktop app’s in-app updater. Rotate every credential embedded in any flow — even with no evidence of breach. LLM provider keys OpenAI, Anthropic, Cohere , AWS access keys, database connection strings, vector DB API keys. The IDOR allowed stealthy access; absence of logs does not mean absence of exploitation. Audit flow permissions. Review which users have access to shared flows. Minimize shared instance exposure wherever possible. Check for KeyHunter artifacts. Look for /opt/keyhunter-worker/ , unexpected systemd services, outbound connections to 45.192.109.25:14222 , and unexpected miner processes. Tighten egress from Langflow hosts. AI tooling should only reach specific LLM endpoints and databases — not the open internet. CVSS scores are a starting point, not a triage strategy. CVE-2026-55255’s lower score made it look less urgent. Attackers preferred it for exactly that reason. CISA’s order is unambiguous https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-prioritize-patching-langflow-auth-bypass-flaw/ : patch both, rotate everything, and do it today. Your Langflow flows are credential stores. Start treating them that way.