Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: langflow (4 articles)Clear

AI agent runs an entire ransomware attack after breaking in through Langflow

Security firm Sysdig says it found what it believes is the first ransomware attack carried out from start to finish by an AI agent. The operator, which Sysdig calls JADEPUFFER, used a large language model to handle the whole job: breaking in, stealing credentials, moving through the network, then encrypting and wiping a company's production database. The way in was an old, already-patched flaw in Langflow, an open-source tool for building AI apps that is often left exposed online with cloud keys nearby. Once inside, the agent mapped the machine and swept it for secrets, including API keys for AI services and credentials for major cloud providers, before destroying data.

Check
Find any internet-exposed Langflow or similar AI application servers, confirm they are patched and off the internet, and check whether cloud or AI service credentials sit in environments those tools can read.
Affected
Organizations running exposed, unpatched Langflow servers, especially with cloud and AI service credentials nearby; attackers used the old flaw and an automated agent to steal secrets and ransom production databases.
Fix
Patch Langflow and never expose its code-running endpoints, keep secrets in a proper manager away from web-reachable tools, lock down outbound traffic and database admin access, and watch runtime behavior.

Attackers exploit unpatched Langflow flaw for unauthenticated code execution

VulnCheck reports that attackers are actively exploiting an unpatched flaw in Langflow, a popular open-source platform for building AI applications. The bug (CVE-2026-5027, rated 8.8) is a path-traversal weakness: the file-upload endpoint does not clean the supplied filename, so an attacker can use directory-climbing sequences to write files anywhere on the server, a foothold that leads to remote code execution. Tenable, which found it, says the maintainers did not respond after three contact attempts in early 2026, and there is still no official fix. Early exploitation appears to be probing, with attackers writing harmless test files, but that usually precedes heavier attacks.

Check
Identify any internet-facing Langflow instances, confirm the version, and review the server filesystem and web logs for unexpected files written via the /api/v2/files upload endpoint.
Affected
Internet-exposed Langflow deployments where the file-upload endpoint is reachable (CVE-2026-5027). No vendor patch is available yet, and active exploitation is already under way.
Fix
Until a fix ships, take Langflow off the public internet or place it behind authentication and a WAF that blocks path-traversal payloads, and restrict the upload endpoint.

CISA adds two to KEV: Langflow CVE-2025-34291 (Flodric botnet) and Trend Micro Apex One CVE-2026-34926 (directory traversal)

CISA has added two new entries to its Known Exploited Vulnerabilities catalog. CVE-2025-34291 is an origin-validation/CORS chain in Langflow, a popular open-source AI agent framework, that lets a malicious webpage exfiltrate refresh tokens and reach the code-validation endpoint for full RCE. Active exploitation began on January 23, 2026, and threat actors have been deploying the Flodric botnet through compromised instances. CVE-2026-34926 is a directory-traversal flaw in Trend Micro Apex One (On-Premise) that allows file read or write outside the intended path. FCEB agencies must remediate by June 11 per BOD 22-01; CISA urges all organisations to do the same.

Check
Inventory Langflow deployments and confirm version is 1.9.3 or later (CVE-2025-34291 patched). Inventory Trend Micro Apex One On-Premise deployments and check patch level for CVE-2026-34926.
Affected
Langflow before 1.9.3 (Flodric botnet seen exploiting in the wild). Trend Micro Apex One On-Premise (specific affected versions per Trend's KA-0023430 advisory). Internet-facing instances are at highest risk.
Fix
Upgrade Langflow to 1.9.3+ and Apex One per Trend Micro's KA-0023430. FCEB agencies must remediate by June 11. Restrict the affected admin consoles to management networks behind VPN.

Langflow AI platform RCE exploited within 20 hours of disclosure - no auth required (CVE-2026-33017)

Attackers didn't wait for a proof-of-concept. Within 20 hours of CVE-2026-33017 being disclosed in Langflow - an open-source AI workflow builder with 145K+ GitHub stars - they built working exploits straight from the advisory. One crafted HTTP POST to the public flow endpoint is all it takes, no credentials needed. Compromised instances leak API keys for OpenAI, AWS, and connected databases.

Check
Check if you run Langflow, especially any instances exposed to the internet.
Affected
Langflow <= 1.8.1.
Fix
Upgrade to Langflow 1.9.0. If you can't patch now, take instances offline or block the /api/v1/build_public_tmp endpoint.