On March 15, 2025, security researchers detected active exploitation of CVE-2026-33017, a critical remote code execution vulnerability in Langflow, a popular low-code framework for building AI workflows. Attackers used the flaw to deploy Monero cryptocurrency miners on enterprise AI servers. The vulnerability affects all Langflow versions prior to 1.9.0 and carries a CVSS v3.1 score of 9.8.
The attack pattern is straightforward: Langflow's default configuration enables AUTO_LOGIN mode, which allows unauthenticated access to the administrative interface. Combined with unsafe processing of Python expressions in workflow definitions, attackers can execute arbitrary code without credentials. Within hours of gaining access, they deployed mining payloads that consumed GPU resources intended for AI workloads.
Attack Timeline
March 15, 2025, 08:00 UTC: First exploitation attempts detected against internet-facing Langflow instances running versions 1.8.x and earlier.
March 15, 2025, 14:30 UTC: Security teams report unusual GPU utilization patterns on AI development servers. Investigation reveals Monero mining processes running under the Langflow service account.
March 15, 2025, 18:00 UTC: Researchers confirm the attack vector: unauthenticated RCE via malicious Python expressions submitted through the workflow API.
March 16, 2025, 02:00 UTC: Langflow maintainers release version 1.9.0 with patches for the expression parsing vulnerability and disabled AUTO_LOGIN by default.
March 18, 2025: Evidence emerges of lateral movement from compromised Langflow servers to adjacent systems using stolen credentials from environment variables and configuration files.
Control Failures
Authentication bypass: The AUTO_LOGIN feature shipped enabled by default, violating the principle of secure defaults. No password, API key, or session token was required to access the administrative interface.
Input validation: The workflow engine accepted and executed arbitrary Python expressions without sanitization or sandboxing. User-supplied code ran with the same privileges as the Langflow process itself.
Network segmentation: AI development servers sat on the same network segment as production data stores, allowing attackers to pivot after initial compromise.
Change management: Organizations deployed Langflow directly from container registries without security review, code inspection, or configuration hardening.
Monitoring gaps: Teams tracked AI model performance metrics but not system-level indicators like unexpected process spawns, network connections to mining pools, or GPU utilization outside normal training windows.
Compliance Requirements
PCI DSS v4.0.1 Requirement 6.3.2 mandates that custom software be developed based on industry standards and incorporate information security throughout the software development lifecycle. This includes reviewing code for security vulnerabilities before deployment. Organizations subject to PCI DSS cannot deploy AI tools that process cardholder data without this review.
OWASP ASVS v4.0.3, Verification Requirement 5.2.1 states: "Verify that the application sanitizes, disables, or sandboxes user-supplied Scalable Vector Graphics (SVG) scriptable content, especially as they relate to XSS resulting from inline scripts, and foreignObject." While SVG-specific, the principle applies to any user-controlled code execution, including Python expressions in AI workflows. The requirement calls for sandboxing, which Langflow lacked.
ISO 27001 Control 8.2 (Privileged access rights) requires that allocation and use of privileged access rights be restricted and controlled. Running an AI framework with default administrative access enabled violates this control. The standard requires explicit authentication before granting privileged capabilities.
NIST CSF v2.0 function PR.AC-4 (Access permissions and authorizations are managed) maps directly to this failure. The framework expects organizations to enforce least privilege and disable default credentials—both absent in the default Langflow configuration.
SOC 2 Type II Common Criteria CC6.1 (logical and physical access controls restrict access to authorized users) requires documented access controls for all systems processing customer data. AI infrastructure that handles customer information for model training or inference must enforce authentication, not ship with open administrative access.
Lessons and Action Items
Inventory your AI infrastructure today. You cannot secure what you do not know exists. Survey your environment for Langflow, LangChain servers, Jupyter notebooks, MLflow instances, and other AI development tools. Document which versions are running, who deployed them, and what data they can access.
Disable AUTO_LOGIN and enforce authentication. For Langflow specifically, set LANGFLOW_AUTO_LOGIN=false in your environment configuration. Require API keys for programmatic access and session-based authentication for web interfaces. Apply this principle to all AI tools—no unauthenticated admin access, period.
Segment AI workloads from production networks. Place AI development and training environments on isolated network segments with strict firewall rules. If an attacker compromises an AI server, they should not be able to pivot to your production database or customer data stores without crossing multiple security boundaries.
Add AI deployments to your change management process. Treat AI infrastructure like any other system that processes sensitive data. Before deploying a new AI framework, require: security review of the codebase or vendor security documentation, configuration hardening checklist completion, network architecture review, and monitoring plan definition.
Monitor for process anomalies, not just AI metrics. Your monitoring likely tracks model accuracy, inference latency, and training loss. Add alerts for unexpected child processes, outbound connections to non-corporate IP ranges, sustained GPU utilization during off-hours, and new cron jobs or scheduled tasks created by AI service accounts.
Patch within 72 hours for critical vulnerabilities. CVE-2026-33017's CVSS score of 9.8 demands immediate action. Establish a process to upgrade AI frameworks within three days of a critical patch release. Test the upgrade in development first, but do not delay production deployment beyond 72 hours.
Review your third-party AI tool vetting process. Before adding any AI framework to your approved tools list, verify: authentication is required by default, code execution is sandboxed or restricted, the vendor has a security response team and disclosure policy, and the tool supports your logging and monitoring infrastructure.
The Langflow incident reveals a broader pattern: AI infrastructure gets deployed faster than security teams can review it. Your developers are experimenting with AI frameworks to solve real business problems, and they will continue doing so. Your job is to make secure deployment the path of least resistance—not to slow down innovation, but to ensure the next vulnerability does not turn your AI servers into someone else's mining operation. CVE Details



