Langflow RCE Is Back on the Menu — This Time for a Monero Miner
Attackers are still pillaging exposed Langflow instances through CVE-2026-33017, turning forgotten AI workflow servers into XMR mining rigs.

Another week, another internet-exposed AI dev tool getting strip-mined for crypto.
This time it's Langflow, the open-source visual builder a lot of teams use to prototype LangChain pipelines. A fresh wave of exploitation is hitting CVE-2026-33017, an unauthenticated RCE rated 9.3. The payload is a Monero miner. The targets are anything with a Langflow port answering on the public internet.
In practice, this is the same story we've watched play out with Ray, with Ollama, with every shiny AI framework that ships with auth disabled or optional. Platform engineers spin up a workflow server on an EC2 instance or a GKE node to demo something to the AI team. The demo works. Nobody tears it down. Six months later, the security group still has 0.0.0.0/0 on the API port and the binary is two minor versions behind.
The failure mode here is not exotic. Langflow's code execution surface — it lets users define and run Python components by design — has historically been thin on sandboxing. An unauthenticated RCE in that context is basically a shell-as-a-service. Drop an XMRig binary, wire it to a pool, set a low CPU cap so the EC2 bill doesn't spike loud enough to alert FinOps, and you're resident until someone notices.
This isn't the first round of mass exploitation against Langflow. Earlier campaigns this year used a related pre-auth RCE to drop the Flodrix botnet on exposed servers. The pattern is identical: scan, exploit, deploy, persist. Crypto miners are the canary. Where a miner lands today, an initial access broker lands tomorrow.
A few operational notes for anyone running this in prod, or anyone who suspects a data scientist might be:
- Find your Langflow instances.
kubectl get svc -A | grep langflowis a fine start, but check ALB target groups and any standalone VMs too. Shodan will absolutely find them before you do. - Patch to the current release. The project has shipped fixes; running anything older than the advisory cutoff is the bug.
- Put it behind something. IAP on GCP, an ALB with Cognito on AWS, a Tailscale ACL, literally anything that isn't a public listener.
- Check for unexpected outbound to known mining pools and for
xmrig-shaped processes. CPU steal time on neighboring workloads is a decent secondary signal.
One thing the post-mortem will say: the Langflow box was never supposed to be production. It was a demo that outlived its usefulness and kept its public IP.
If your AI tooling has a web UI and a code execution primitive, treat it like a Jenkins server from 2017. That's the threat model.
Operational takeaway: inventory your AI dev tools the same way you inventory your CI runners — because attackers already are.



