PERMISSION/PROTOCOL
Back to incident tracker

2026-06-28

HighVendor post

CVE-2026-33017 (CVSS 9.3): Unauthenticated RCE in Langflow Actively Exploited to Deploy Monero Cryptominer, Disable Security Controls, and Propagate via SSH on AI Agent Servers

CVE-2026-33017 (CVSS 9.3): Threat actors exploited an unauthenticated Langflow RCE flaw to deploy a Monero miner, disable AppArmor, establish persistence, and spread via SSH. Trend Micro research.

LangflowTool execution / MCPUnauthenticated RCE via exposed AI agent API endpoint, leading to cryptominer deployment and lateral movementLangflow AI agent workflow runtime — holds LLM API keys, agent workflow definitions, credentials for downstream databases and APIs, and SSH access to connected infrastructure

What happened

Attacker sends a single unauthenticated HTTP request to a Langflow API endpoint that evaluates Python code. The request contains one line of Python that fetches a remote shell script, which downloads the lambsys miner binary via curl or wget, launches it as a detached process, and initiates SSH-based lateral movement to connected hosts.

Why it matters

Full RCE on Langflow servers. The lambsys malware terminates competing crypto miners (Kinsing, WatchDog, Rocke, Outlaw), disables AppArmor and Ubuntu Uncomplicated Firewall, establishes cron-based persistence, beacons to attacker infrastructure, and spreads to every SSH-reachable host the Langflow server can authenticate to. All LLM API keys, agent workflow credentials, and downstream service access held by the compromised instance are exposed.

Missing authorization check

The Python code evaluation endpoint must require authentication before accepting user-supplied code for execution. No internet-exposed endpoint should evaluate arbitrary code without validating the caller's identity and scope. Runtime isolation should prevent code execution from reaching the host OS layer.

Would PP block it?

The attack bypasses the agent layer entirely — it exploits a bare API endpoint on the Langflow server. PP's authorization chain is external to the Langflow runtime and cannot intercept this request. Once the attacker achieves RCE on the Langflow server, they can read PP-bound credentials and potentially impersonate agent sessions. Full protection requires hardening the Langflow server (authentication on all code-execution endpoints, runtime isolation) as a prerequisite. PP receipts for downstream agent actions remain valid as a downstream audit control but cannot prevent the initial server compromise.

Incident analysis

Timeline and technical read

Timeline

  1. 2026-03-27

    Exploitation campaign begins. Threat actors start scanning for internet-exposed Langflow instances vulnerable to CVE-2026-33017 and deploying the lambsys Monero miner.

  2. 2026-04-15

    Active exploitation campaign ends (last observed activity). Over 19 days, attackers compromised multiple Langflow servers and propagated via SSH to connected hosts.

  3. 2026-06-25

    Trend Micro researchers Simon Dulude and John Zhang publish full technical analysis of the CVE-2026-33017 cryptomining campaign, including malware binary analysis and C2 infrastructure details.

  4. 2026-06-28

    GBHackers and CyberPress report Trend Micro findings. Security community identifies second major Langflow RCE campaign in 2026 following CVE-2026-5027 path traversal.

  5. 2026-06-30

    The Hacker News and SC World report; pattern of serial Langflow CVE exploitation by threat actors targeting AI agent infrastructure is publicly documented.

Technical breakdown

  • CVE-2026-33017 exposes a Langflow API endpoint that evaluates attacker-supplied Python code without authentication. A single HTTP request containing one line of Python is sufficient to achieve arbitrary code execution on the host server.
  • The attack chain: unauthenticated API request with Python payload that fetches a remote shell script, which checks for a competing lambsys process, downloads the miner binary via curl or wget, launches it as a detached process, then initiates SSH lateral movement.
  • The lambsys binary is an ELF executable written in Go. It terminates known competing miner families (Kinsing, WatchDog, Rocke, Outlaw), deletes their wallet and key material, disables AppArmor and Ubuntu Uncomplicated Firewall, and establishes cron-based persistence.
  • Lateral movement exploits reused SSH keys on the compromised Langflow server to spread lambsys to every SSH-reachable host the server can authenticate to, turning a single exposed Langflow instance into a network-wide compromise beachhead.
  • CVE-2026-33017 is the second major unauthenticated RCE exploited against Langflow in 2026, following CVE-2026-5027 (CVSS 8.8, path traversal). Serial exploitation of the same platform by multiple threat actor groups marks Langflow as an established target class in AI infrastructure campaigns.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Runtime Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at
Agent action authorization; downstream tool-call and data mutation gates
Still needs
Unauthenticated API endpoint access; server-level Python code execution; Langflow runtime authentication and isolation
Receipt required for
Any agent action using Langflow-held credentials; LLM API calls, database mutations, and external service calls made through Langflow agent workflows

CVE-2026-33017 is a pre-agent exploit: the attacker reaches the Langflow server directly via a vulnerable unauthenticated endpoint before any agent session begins. PP's Runtime Gate enforces authorization on agent-issued actions but cannot gate unauthenticated HTTP requests to vulnerable API endpoints.

Start small

Put the relevant gate at this action boundary.

This incident maps to Runtime Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop