Trend Micro — CVE-2026-33017 Langflow RCE Weaponized for Monero Mining on AI Servers

AI relevance: Langflow is a popular open-source framework for building AI agent workflows; exposed instances are now being weaponized as initial-access vectors into enterprise AI infrastructure.

Key Findings

  • CVE-2026-33017 (CVSS 9.3) is an unauthenticated remote code execution flaw in Langflow that allows attackers to execute arbitrary Python code via a single API endpoint
  • Trend Micro observed a 19-day exploitation window (March 27 – April 15, 2026) targeting internet-exposed Langflow instances
  • The attack chain: one line of Python → shell script dropper → lambsys Go binary → custom XMRig Monero miner
  • The malware kills competing miners (Kinsing, WatchDog, Rocke, Outlaw), deletes rival wallet keys, and disables security controls including AppArmor, UFW, iptables, and SELinux
  • lambsys forks 51 short-lived sh -c subprocesses for reliability — if one pkill fails, the other 50 continue
  • The miner spreads laterally via reused SSH keys, turning a single exposed Langflow instance into a pathway for broader network compromise
  • Geo-aware payload: the binary queries ipinfo.io to select nearby mining pools and enforce geo-fencing
  • Artifact analysis shows the malware family has been under active development since at least May 2024

Why It Matters

Langflow sits at the intersection of AI experimentation and production deployment. Teams spinning up proof-of-concept agent workflows often expose instances publicly without authentication (AUTO_LOGIN=false is not the default). This CVE demonstrates that AI infrastructure is no longer a theoretical attack surface — it's being actively scanned and exploited for commodity cryptomining, with lateral movement capabilities that can compromise entire SSH trust networks.

What To Do

  • Update immediately: Langflow 1.9.0+ patches CVE-2026-33017
  • Restrict access: Never expose Langflow to the public internet; use VPN or IP allowlisting
  • Disable auto-login: Set AUTO_LOGIN=false in all environments
  • Audit SSH keys: If you find lambsys artifacts, treat all SSH keys as compromised and rotate them across your entire infrastructure
  • Monitor for indicators: Check for lambsys processes, unexpected cron entries, and outbound connections to 83.142.209[.]214:80

Sources