Critical Langflow CVE-2026-33017 vulnerability lets attackers steal AWS keys
Key Takeaways A critical unauthenticated remote code execution vulnerability, CVE-2026-33017, in the Langflow AI workflow tool is being actively exploited. Attackers are leveraging this flaw to steal...
Key Takeaways
- A critical unauthenticated remote code execution vulnerability, CVE-2026-33017, in the Langflow AI workflow tool is being actively exploited.
- Attackers are leveraging this flaw to steal AWS access keys and other AI API credentials, then using compromised systems as nodes in a novel NATS-based botnet.
- The campaign demonstrates a sophisticated credential harvesting operation, where a single exposed AI development tool can lead to extensive cloud resource abuse and unauthorized use of large language models.
- Immediate patching of Langflow and rotation of potentially exposed cloud and AI API keys are crucial mitigation steps.
Cybersecurity researchers have uncovered an active campaign exploiting a severe vulnerability in Langflow, an open-source AI workflow orchestration tool. The flaw, tracked as CVE-2026-33017, allows unauthenticated remote code execution, enabling threat actors to pilfer cloud credentials and integrate compromised systems into a new botnet utilizing the NATS messaging system.
Table Of Content
This incident underscores the significant risk posed by improperly secured AI development tools, which can serve as gateways for widespread credential theft and unauthorized access to valuable cloud resources.
Langflow CVE-2026-33017 Exploited for Credential Theft
The core of the attack revolves around CVE-2026-33017, an unauthenticated remote code execution vulnerability in Langflow. This critical flaw, added to the CISA KEV catalog in March 2026, permits attackers to execute arbitrary commands directly within the Langflow container by targeting a publicly accessible endpoint without needing any authentication.
During a documented incident, this straightforward exploitation method was sufficient to expose live AWS access keys. These stolen credentials subsequently facilitated a broader phase of cloud reconnaissance and abuse. Researchers at Sysdig were the first to detail this activity after observing an operator compromise a Langflow instance and then pivot into the victim’s cloud environment.
Within a mere 30-minute window, the threat actor deployed a Python worker script and a Go-based binary from their infrastructure. This deployment indicates a clear intent to scale the attack beyond a single compromised host.
The “KeyHunter” Tooling and Broader Impact
Static analysis of the deployed tools, which the attacker dubbed “KeyHunter,” revealed their design to systematically harvest API keys from various web content and cloud development platforms. The implications of this vulnerability extend far beyond the initial Langflow compromise. Once the Langflow service is exploited, the stolen AWS keys empower attackers to enumerate cloud resources, probe AI services, and potentially exploit high-end language models without incurring costs.
The same worker framework is also capable of validating keys for other platforms, including OpenAI and Anthropic. This functionality transforms each compromised Langflow instance into a continuous source of monetizable credentials.
In the observed Sysdig incident, the operator also attempted to escalate privileges and escape the container using DirtyPipe and DirtyCred exploits, suggesting an ambition for deeper host control if the initial foothold allowed it. Although their attempt to run the Go-based worker failed due to memory constraints, they successfully reverted to the Python worker for data collection.
The vulnerability specifically resides in an unauthenticated API endpoint, /api/v1/build_public_tmp//flow. By invoking this public build endpoint, attackers can capture the process environment and directly extract sensitive AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY values. This method requires no phishing or social engineering, making automated scanning of internet-facing Langflow nodes a highly effective way to harvest credentials at scale.
Following the credential theft, the keys were immediately validated using the sts:GetCallerIdentity API to confirm their active status. Over the subsequent hours, these same keys were used for a comprehensive cloud reconnaissance sweep, including listing S3 buckets, enumerating EC2 instances, and checking logging, cost, and identity services. The attacker then targeted AWS Bedrock, probing model invocation endpoints in what appears to be an attempt at “LLM jacking” to utilize large language models without payment.
This activity aligns with the capabilities of the KeyHunter Python worker, which includes functions named validate_aws and validate_ai to automatically check and classify harvested keys. The worker can also scrape arbitrary web pages and specific cloud code platforms, creating a unified pipeline where a single compromised Langflow host can feed numerous subsequent attacks. By treating stolen Langflow keys as merely one input stream, the attacker maximizes the value extracted from every captured environment variable.
NATS Worker Turns Langflow Hosts into C2 Nodes
A distinctive aspect of this campaign is the use of a NATS message broker for command and control (C2), diverging from traditional web panel setups. The attacker’s worker connects to a NATS server at 45.192.109.25:14222 via an authenticated session, subscribing to subjects such as task.scan_cde, task.scan_web, task.validate_aws, and task.validate_ai.
This architecture allows the operator to centrally queue tasks, have workers retrieve them, and then receive structured results back using JetStream pull consumers with explicit acknowledgments. Interestingly, NATS’s subject-level permissions forced the attacker to adapt in real time. When initial heartbeat messages were blocked, they deployed a quick enumeration script to discover which subjects the worker user was authorized to publish to, eventually settling on channels like heartbeat.worker and worker.result. This effectively implements a “least privilege” model within the botnet itself, preventing a compromised worker from eavesdropping on the operator’s own control communications.
The Go binary and its associated install script highlight the attacker’s objective of establishing a resilient, cross-platform worker pool. The deploy.sh script installs the worker under /opt/keyhunter-worker/ as a systemd service, configured for automatic restarts and persistence across reboots on both x86_64 and aarch64 systems. Once deployed, each worker can maintain multiple outbound connections and scrape credential-rich code sandboxes while masquerading as legitimate browser traffic.
What You Should Do
- Patch Immediately: Update Langflow instances to a version that addresses CVE-2026-33017. The unauthenticated nature of the vulnerable endpoint makes unpatched instances highly susceptible to automated scanning and exploitation.
- Assume Compromise: Any Langflow instance exposed to the internet prior to patching should be considered compromised.
- Rotate Credentials: Immediately rotate all AWS, OpenAI, Anthropic, and Hugging Face keys, or any other API keys that could have been accessible from the compromised Langflow environment.
- Block Malicious Infrastructure: Implement blocks for outbound traffic to the identified NATS C2 server (
45.192.109.25:14222) and the staging HTTP server (159.89.205.184:8888). - Tighten Egress Filtering: Restrict outbound network connections from AI tooling to only necessary LLM and database endpoints, preventing communication with the open internet.
- Monitor for IoCs: Implement monitoring for the provided Indicators of Compromise (IoCs) in your security tools.
Indicators of Compromise:
| Type | Indicator | Description |
|---|---|---|
| IP:Port | 45.192.109.25:14222 |
NATS C2 server used as the command and control message broker. |
| IP:Port | 159.89.205.184:8888 |
Staging HTTP server hosting worker binaries and scripts. |
| File hash (SHA-256) | dbee863ad2a39f939be2c7ed76f7d5a8fe000aad2d2b2d32b3e8ec3ee42f |
worker-linux-amd64 Go binary. |
| File hash (SHA-256) | 323bbf3064d4b83df7920d752636b1acb36f462e58609a815bd8084d1e6 |
keyhunter_worker.py Python worker script. |
| File hash (SHA-256) | 16b279aa018c64294d58280636e538f86e3dd9bdcb5734c203373394b7 |
deploy.sh installer script that sets up the worker service. |
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.