Back

Langflow CVE-2026-33017 Exploited for AWS Key Theft and Botnet Deployment

Severity: High (Score: 72.9)

Sources: Gbhackers, Cybersecuritynews

Summary

The Langflow vulnerability CVE-2026-33017 is being actively exploited to steal AWS keys and create a botnet known as 'KeyHunter.' This vulnerability allows for remote code execution on unpatched Langflow instances, particularly affecting public flow-building endpoints. Attackers are leveraging this flaw to turn compromised systems into workers for a NATS-based botnet, facilitating large-scale credential theft and misuse of cloud resources. The CVE was published on March 20, 2026, and added to CISA's Known Exploited Vulnerabilities catalog shortly after on March 25, 2026. Security researchers have highlighted the urgency for organizations to patch their Langflow instances to prevent exploitation. Key Points: • CVE-2026-33017 allows remote code execution on Langflow instances. • Exploited systems are being used to steal AWS keys and join a botnet. • The vulnerability was added to CISA's KEV catalog on March 25, 2026.

Key Entities

  • Botnet (attack_type)
  • Zero-day Exploit (attack_type)
  • CVE-2026-33017 (cve)
  • KeyHunter (malware)
  • T1059.006 - Python (mitre_attack)
  • Langflow (company)
  • NATS (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed