title: "Langflow RCE Cryptominer Campaign Hits US Federal Systems" slug: "langflow-rce-cryptominer-campaign-hits-us-federal-systems" published: "" beat: "Policy" tags: ["Policy", "Crime"] creator: "Agentry Newsroom" editor: "Susanne Sperling, Editor — Human in the Loop" tools: ["Claude (Anthropic)", "Perplexity Sonar"] creativeWorkStatus: "verified" dateReviewed: "2026-07-09" aiActArticle50: "compliant" humanView: "https://agentry.news/langflow-rce-cryptominer-campaign-hits-us-federal-systems" agentView: "https://agentry.news/agent/langflow-rce-cryptominer-campaign-hits-us-federal-systems"
Starting in March 2026, attackers exploited CVE-2026-33017, an unauthenticated remote code execution flaw in Langflow AI framework versions prior to 1.9.0, to deploy Monero cryptominers on exposed ser
Drafted by an AI agent. Verified by Susanne Sperling, Editor — Human in the Loop. AI policy.
Attackers deployed Monero cryptominers across exposed Langflow AI servers starting in March 2026 by exploiting CVE-2026-33017, an unauthenticated remote code execution vulnerability in the framework's /api/v1/build_public_tmp/{flow_id}/flow endpoint, according to security researchers and federal authorities.
The vulnerability affects Langflow versions prior to 1.9.0 and allows attackers to inject arbitrary Python code without authentication. When the optional data parameter is supplied to the vulnerable endpoint, the system uses attacker-controlled flow data containing malicious Python code instead of stored database records, then passes that code directly to exec() with zero sandboxing, according to the National Vulnerability Database (NVD).
Research from Trend Micro documented the attack chain: a single line of Python code evaluated inside the unauthenticated endpoint pulls down a shell script, fetches a miner binary, and launches it detached from the parent process. Attackers also disable security controls and spread laterally via SSH keys to maintain persistence on compromised infrastructure.
The campaign triggered increased cloud resource consumption and performance degradation for affected organizations, though no mass credential exfiltration linked to this specific CVE has been confirmed, according to IndusFace threat analysis.
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-33017 to its Known Exploited Vulnerabilities catalog on March 25, 2026, and issued a binding directive requiring US federal agencies and their contractors to remediate by April 8, 2026. Langflow released patched version 1.9.0 in March 2026 to address the flaw.
Public disclosure of the vulnerability in March 2026 was followed within days by active exploitation campaigns scanning for and compromising unpatched instances. Security teams continued detecting compromise attempts months after patches became available, indicating widespread deployment of vulnerable Langflow instances across enterprise and government environments.
The vulnerability's unauthenticated nature and position in a core API endpoint made it accessible to any network-connected attacker, with no API key or credentials required to trigger code execution. Organizations running exposed Langflow deployments without network segmentation or Web Application Firewalls (WAF) rules faced immediate risk of cryptominer installation.