Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
FCC Bans Chinese Telecom Equipment From Huawei, ZTE, Others Over Security Risks
July 2, 2026
Critical JetBrains Flaws Allow Auth Bypass, Code Execution
July 2, 2026
Critical Microsoft Defender, Sysmon Flaw Lets Attackers Disable Security
July 2, 2026
Home/Threats/Critical Langflow CVE-2026-33017 vulnerability lets attackers steal AWS keys
Threats

Critical Langflow CVE-2026-33017 vulnerability lets attackers steal AWS keys

Key Takeaways A critical unauthenticated remote code execution vulnerability, CVE-2026-33017, in the Langflow AI workflow tool is being actively exploited. Attackers are leveraging this flaw to steal...

Marcus Rodriguez
Marcus Rodriguez
May 14, 2026 5 Min Read
48 0

Key Takeaways

  • A critical unauthenticated remote code execution vulnerability, CVE-2026-33017, in the Langflow AI workflow tool is being actively exploited.
  • Attackers are leveraging this flaw to steal AWS access keys and other AI API credentials, then using compromised systems as nodes in a novel NATS-based botnet.
  • The campaign demonstrates a sophisticated credential harvesting operation, where a single exposed AI development tool can lead to extensive cloud resource abuse and unauthorized use of large language models.
  • Immediate patching of Langflow and rotation of potentially exposed cloud and AI API keys are crucial mitigation steps.

Cybersecurity researchers have uncovered an active campaign exploiting a severe vulnerability in Langflow, an open-source AI workflow orchestration tool. The flaw, tracked as CVE-2026-33017, allows unauthenticated remote code execution, enabling threat actors to pilfer cloud credentials and integrate compromised systems into a new botnet utilizing the NATS messaging system.

Table Of Content

  • Key Takeaways
  • Langflow CVE-2026-33017 Exploited for Credential Theft
  • The “KeyHunter” Tooling and Broader Impact
  • NATS Worker Turns Langflow Hosts into C2 Nodes
  • What You Should Do

This incident underscores the significant risk posed by improperly secured AI development tools, which can serve as gateways for widespread credential theft and unauthorized access to valuable cloud resources.

Langflow CVE-2026-33017 Exploited for Credential Theft

The core of the attack revolves around CVE-2026-33017, an unauthenticated remote code execution vulnerability in Langflow. This critical flaw, added to the CISA KEV catalog in March 2026, permits attackers to execute arbitrary commands directly within the Langflow container by targeting a publicly accessible endpoint without needing any authentication.

During a documented incident, this straightforward exploitation method was sufficient to expose live AWS access keys. These stolen credentials subsequently facilitated a broader phase of cloud reconnaissance and abuse. Researchers at Sysdig were the first to detail this activity after observing an operator compromise a Langflow instance and then pivot into the victim’s cloud environment.

Within a mere 30-minute window, the threat actor deployed a Python worker script and a Go-based binary from their infrastructure. This deployment indicates a clear intent to scale the attack beyond a single compromised host.

The “KeyHunter” Tooling and Broader Impact

Static analysis of the deployed tools, which the attacker dubbed “KeyHunter,” revealed their design to systematically harvest API keys from various web content and cloud development platforms. The implications of this vulnerability extend far beyond the initial Langflow compromise. Once the Langflow service is exploited, the stolen AWS keys empower attackers to enumerate cloud resources, probe AI services, and potentially exploit high-end language models without incurring costs.

The same worker framework is also capable of validating keys for other platforms, including OpenAI and Anthropic. This functionality transforms each compromised Langflow instance into a continuous source of monetizable credentials.

In the observed Sysdig incident, the operator also attempted to escalate privileges and escape the container using DirtyPipe and DirtyCred exploits, suggesting an ambition for deeper host control if the initial foothold allowed it. Although their attempt to run the Go-based worker failed due to memory constraints, they successfully reverted to the Python worker for data collection.

The vulnerability specifically resides in an unauthenticated API endpoint, /api/v1/build_public_tmp//flow. By invoking this public build endpoint, attackers can capture the process environment and directly extract sensitive AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY values. This method requires no phishing or social engineering, making automated scanning of internet-facing Langflow nodes a highly effective way to harvest credentials at scale.

Following the credential theft, the keys were immediately validated using the sts:GetCallerIdentity API to confirm their active status. Over the subsequent hours, these same keys were used for a comprehensive cloud reconnaissance sweep, including listing S3 buckets, enumerating EC2 instances, and checking logging, cost, and identity services. The attacker then targeted AWS Bedrock, probing model invocation endpoints in what appears to be an attempt at “LLM jacking” to utilize large language models without payment.

This activity aligns with the capabilities of the KeyHunter Python worker, which includes functions named validate_aws and validate_ai to automatically check and classify harvested keys. The worker can also scrape arbitrary web pages and specific cloud code platforms, creating a unified pipeline where a single compromised Langflow host can feed numerous subsequent attacks. By treating stolen Langflow keys as merely one input stream, the attacker maximizes the value extracted from every captured environment variable.

NATS Worker Turns Langflow Hosts into C2 Nodes

A distinctive aspect of this campaign is the use of a NATS message broker for command and control (C2), diverging from traditional web panel setups. The attacker’s worker connects to a NATS server at 45.192.109.25:14222 via an authenticated session, subscribing to subjects such as task.scan_cde, task.scan_web, task.validate_aws, and task.validate_ai.

This architecture allows the operator to centrally queue tasks, have workers retrieve them, and then receive structured results back using JetStream pull consumers with explicit acknowledgments. Interestingly, NATS’s subject-level permissions forced the attacker to adapt in real time. When initial heartbeat messages were blocked, they deployed a quick enumeration script to discover which subjects the worker user was authorized to publish to, eventually settling on channels like heartbeat.worker and worker.result. This effectively implements a “least privilege” model within the botnet itself, preventing a compromised worker from eavesdropping on the operator’s own control communications.

The Go binary and its associated install script highlight the attacker’s objective of establishing a resilient, cross-platform worker pool. The deploy.sh script installs the worker under /opt/keyhunter-worker/ as a systemd service, configured for automatic restarts and persistence across reboots on both x86_64 and aarch64 systems. Once deployed, each worker can maintain multiple outbound connections and scrape credential-rich code sandboxes while masquerading as legitimate browser traffic.

What You Should Do

  • Patch Immediately: Update Langflow instances to a version that addresses CVE-2026-33017. The unauthenticated nature of the vulnerable endpoint makes unpatched instances highly susceptible to automated scanning and exploitation.
  • Assume Compromise: Any Langflow instance exposed to the internet prior to patching should be considered compromised.
  • Rotate Credentials: Immediately rotate all AWS, OpenAI, Anthropic, and Hugging Face keys, or any other API keys that could have been accessible from the compromised Langflow environment.
  • Block Malicious Infrastructure: Implement blocks for outbound traffic to the identified NATS C2 server (45.192.109.25:14222) and the staging HTTP server (159.89.205.184:8888).
  • Tighten Egress Filtering: Restrict outbound network connections from AI tooling to only necessary LLM and database endpoints, preventing communication with the open internet.
  • Monitor for IoCs: Implement monitoring for the provided Indicators of Compromise (IoCs) in your security tools.

Indicators of Compromise:

Type Indicator Description
IP:Port 45.192.109.25:14222 NATS C2 server used as the command and control message broker.
IP:Port 159.89.205.184:8888 Staging HTTP server hosting worker binaries and scripts.
File hash (SHA-256) dbee863ad2a39f939be2c7ed76f7d5a8fe000aad2d2b2d32b3e8ec3ee42f worker-linux-amd64 Go binary.
File hash (SHA-256) 323bbf3064d4b83df7920d752636b1acb36f462e58609a815bd8084d1e6 keyhunter_worker.py Python worker script.
File hash (SHA-256) 16b279aa018c64294d58280636e538f86e3dd9bdcb5734c203373394b7 deploy.sh installer script that sets up the worker service.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchphishingThreatVulnerability

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Packagist Composer Update Fixes GitHub Actions Token Leak

Next Post

OpenAI Sued Over ChatGPT Data Sharing with Google and Meta

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
WinRAR 7.23 Patches Critical Heap Overflow Vulnerability CVE-2024-XXXX
July 2, 2026
Medtronic Confirms Data Breach, Corporate IT Systems Compromised
July 2, 2026
Critical ClamAV Vulnerabilities Let Attackers Trigger DoS
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us