"This is notable because no public PoC repository existed on GitHub at the time of the first attack. The advisory itself contained enough detail for attackers to construct a working exploit without additional research."
"Threat actors have been exploiting CVE-2026-33017 to steal keys and credentials required to access connected databases, potentially setting up for supply chain attacks."
Langflow, an open-source framework for AI agents, had a critical vulnerability (CVE-2026-33017) that allowed unauthenticated remote code execution. Released on March 17, version 1.8.1 included patches for this issue, which affected a POST endpoint enabling public flow creation without authentication. Attackers exploited this vulnerability shortly after its disclosure, using a single HTTP request to execute arbitrary Python code. Exploitation attempts were observed from multiple IPs, indicating organized efforts to steal credentials and potentially facilitate supply chain attacks.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]