
CISA’s Known Exploited Vulnerabilities catalog has long been reserved for enterprise stalwarts — Adobe, Apache, Microsoft. On July 7, 2026, Langflow broke that pattern. The visual AI workflow builder became the first AI agent orchestration platform ever added to KEV, with two actively exploited CVEs: one that gives attackers unauthenticated remote code execution, and one that lets them quietly drain LLM API keys from other users’ flows. Federal agencies had until July 10 to patch. If you run Langflow in production, you are not ahead of this.
What Langflow Is and Why Attackers Targeted It
Langflow is the dominant open-source platform for building visual AI pipelines — RAG applications, multi-agent workflows, LLM chains. With 149,000+ GitHub stars and over 15 million PyPI downloads, it runs in thousands of production environments. Enterprises use it precisely because it makes connecting LLMs, vector databases, and cloud services easy. That convenience has a cost: flow configurations embed API keys directly in JSON. OpenAI keys, Anthropic keys, AWS credentials, database connection strings — all sitting in flow files, on shared instances, often internet-accessible.
That is the attack surface. Attackers found it.
CVE-2026-33017: One POST Request, Full Server Compromise (CVSS 9.8)
Langflow’s public flow sharing feature allows flows to be built via /api/v1/build_public_tmp/{flow_id}/flow without authentication. The endpoint accepts an optional data parameter — intended for sharing flow configurations. The problem: when that parameter is supplied, the server uses the attacker’s data instead of the stored flow, and Langflow components are Python objects. Attacker-controlled Python code in node definitions goes directly to exec() with no sandboxing. One unauthenticated HTTP POST. Complete system compromise.
Exploitation began within 20 hours of public disclosure. Approximately 7,000 servers were attacked. The fix, shipped in Langflow 1.9.0, removes the data parameter from the endpoint entirely — stored flow only, no external input.
CVE-2026-55255: The Quieter Credential Thief
CVE-2026-55255 carries a lower CVSS score than the RCE, which meant some teams deprioritized it. They should not have. Sysdig’s analysis of the active campaign found this IDOR was more heavily used for credential harvesting precisely because it is stealthy.
The flaw is in helpers/flow.py: the get_flow_by_id_or_endpoint_name function fetches flows by UUID with no ownership check. An attacker with any authenticated Langflow account — including a free one — enumerates /api/v1/flows/ to collect all flow UUIDs across the instance, then replays those UUIDs at /api/v1/responses to execute any user’s flow. Attackers injected “leak api keys” prompts into hijacked flows and watched the credentials pour out. Fixed in 1.9.2.
What the Active Campaign Stole and Deployed
Between June 22 and 25, 2026, attackers chained both vulnerabilities in a sustained campaign documented by Sysdig. The RCE dumped process environment variables, capturing AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY directly. Those keys powered cloud reconnaissance: S3 bucket listing, EC2 enumeration, IAM identity probing, logging and cost service checks.
The RCE also deployed KeyHunter — a persistent NATS-based C2 worker installed under /opt/keyhunter-worker/ as a systemd service, configured to survive reboots on both x86_64 and aarch64 hosts. On a separate track, a Monero cryptominer was deployed: it runs a 39-entry rival-miner kill list, disables host security controls, and spreads via reused SSH keys. One exposed Langflow instance becomes a persistent, self-spreading botnet node.
The Bigger Picture: AI Infrastructure Is Now Primary Attack Surface
CISA does not add software to KEV casually. The Langflow entries are a formal signal: AI pipeline tools are critical infrastructure, and they will be treated accordingly. This is not an isolated incident. July 2026 has produced GuardFall (shell injection across AI coding agents), GhostApproval (approval dialog bypass enabling RCE), PraisonAI (nine CVEs, two CVSS 10.0), and the Friendly Fire attack pattern against AI code reviewers — all within the same month.
The pattern is clear. Credentials embedded in AI workflows, agents with broad system permissions, and internet-exposed orchestration platforms are the new frontier for opportunistic attackers. If you are building on AI infrastructure, its security posture is now your security posture.
What to Do Now
- Update Langflow to 1.9.2 or later immediately. This fixes both CVEs. Run
pip install --upgrade langflow, pull the latest Docker image, or use the Desktop app’s in-app updater. - Rotate every credential embedded in any flow — even with no evidence of breach. LLM provider keys (OpenAI, Anthropic, Cohere), AWS access keys, database connection strings, vector DB API keys. The IDOR allowed stealthy access; absence of logs does not mean absence of exploitation.
- Audit flow permissions. Review which users have access to shared flows. Minimize shared instance exposure wherever possible.
- Check for KeyHunter artifacts. Look for
/opt/keyhunter-worker/, unexpected systemd services, outbound connections to45.192.109.25:14222, and unexpected miner processes. - Tighten egress from Langflow hosts. AI tooling should only reach specific LLM endpoints and databases — not the open internet.
CVSS scores are a starting point, not a triage strategy. CVE-2026-55255’s lower score made it look less urgent. Attackers preferred it for exactly that reason. CISA’s order is unambiguous: patch both, rotate everything, and do it today. Your Langflow flows are credential stores. Start treating them that way.













