Critical Langflow Vulnerability Exploited Hours After Public Disclosure

Langflow has become a cornerstone for developers building AI agents, boasting more than 145,000 stars on GitHub and thousands of forks. 3 on the CVSS scale, resides in a POST endpoint that creates public flows without authentication. By supplying a crafted ‘data’ parameter, an attacker can inject arbitrary Python code into node definitions, which the server executes without sandboxing, resulting in unauthenticated remote code execution. 1, released on March 17, but the advisory exposed enough technical detail for immediate weaponization.

Within roughly 20 hours of the public advisory, threat actors launched exploitation campaigns, as reported by Sysdig. Initial scans from four IP addresses delivered a generic payload, suggesting automated tooling. Subsequent phases saw a different IP conduct reconnaissance and deploy custom scripts, followed by a third IP exfiltrating stolen keys and credentials to a single command‑and‑control server. The rapid progression from scanning to data theft underscores how quickly unpatched open‑source components can become a foothold for supply‑chain attacks, pressuring organizations to accelerate patch management and monitor for anomalous API traffic. The Langflow incident highlights systemic challenges in open‑source security.

Disclosure practices that reveal endpoint paths and injection vectors, while essential for remediation, can also furnish attackers with a ready‑made exploit when patches are not yet deployed. Vendors and maintainers must adopt coordinated vulnerability disclosure, provide timely patches, and consider default authentication for critical APIs. Meanwhile, security teams should implement runtime application self‑protection, enforce least‑privilege execution environments, and employ threat‑intel feeds to detect early exploitation attempts. Proactive monitoring can turn a brief exposure window into a manageable risk.