Langflow CVE-2026-33017 Exploited for AWS Key Theft and Botnet Deployment

Langflow CVE-2026-33017 Exploited for AWS Key Theft and Botnet Deployment

First seen 14 May 2026, 11:02 UTC GbhackersCybersecuritynewsLetsdatascience 81% similarity 72.9

Article Content

Browse articles
ThreatCluster

The Langflow vulnerability CVE-2026-33017 is being actively exploited to steal AWS keys and create a botnet known as 'KeyHunter.' This vulnerability allows for remote code execution on unpatched Langflow instances, particularly affecting public flow-building endpoints. Attackers are leveraging this flaw to turn compromised systems into workers for a NATS-based botnet, facilitating large-scale credential theft and misuse of cloud resources. The CVE was published on March 20, 2026, and added to CISA's Known Exploited Vulnerabilities catalog shortly after on March 25, 2026. Security researchers have highlighted the urgency for organizations to patch their Langflow instances to prevent exploitation.

Key Points: • CVE-2026-33017 allows remote code execution on Langflow instances. • Exploited systems are being used to steal AWS keys and join a botnet. • The vulnerability was added to CISA's KEV catalog on March 25, 2026.

ThreatCluster AI

Timeline

2026-03-20
CVE-2026-33017 published
Langflow vulnerability CVE-2026-33017 disclosed, allowing remote code execution.
Gbhackers
2026-03-21
First public PoC released
A proof of concept for CVE-2026-33017 was made publicly available, raising concerns about its exploitation.
Gbhackers
2026-03-25
CVE added to CISA KEV catalog
CISA listed CVE-2026-33017 as actively exploited, urging immediate patching.
Gbhackers
Recent
Active exploitation reported
Attackers are currently exploiting CVE-2026-33017 to steal AWS keys and deploy a botnet.
Cybersecuritynews

Community

Browse all →