Langflow RCE Vulnerability Leads to Monero Cryptominer Deployment

Langflow RCE Vulnerability Leads to Monero Cryptominer Deployment

First seen 30 Jun 2026, 17:15 UTC GbhackersThehackernews 76% similarity 73.5
Share:

Article Content

Browse articles
ThreatCluster

Threat actors are exploiting CVE-2026-33017, a critical unauthenticated remote code execution vulnerability in Langflow, to compromise exposed AI application servers. This exploitation allows attackers to deploy a customized Monero (XMR) cryptominer silently. The vulnerability was published on March 20, 2026, and has been actively exploited since March 25, 2026. Trend Micro researchers Simon Dulude and John Zhang documented the campaign, indicating a shift in cryptominer delivery tactics. Organizations running Langflow should assess their exposure and implement necessary security measures. The current status of the exploitation is ongoing, with significant risk to internet-exposed AI systems.

Key Points: • CVE-2026-33017 is a critical RCE vulnerability in Langflow being actively exploited. • Attackers are deploying Monero cryptominers on compromised AI application servers. • Organizations should urgently assess their Langflow installations for exposure.

ThreatCluster AI

Timeline

2026-03-20
CVE-2026-33017 published
Langflow's critical RCE vulnerability was officially disclosed, affecting exposed AI servers.
Gbhackers
2026-03-21
First public PoC released
A proof of concept for CVE-2026-33017 was made public, increasing the risk of exploitation.
Gbhackers
2026-03-25
CVE-2026-33017 added to CISA KEV
CISA confirmed active exploitation of the vulnerability, prompting alerts to organizations.
Gbhackers
Recent
Active exploitation reported
Trend Micro researchers documented ongoing attacks leveraging the Langflow RCE vulnerability.
Gbhackers

Extracted Entities

1 / 2

Community

Browse all →