Langflow RCE CVE-2026-33017 Weaponized to Spread Monero Miners via AI Endpoints

Threat actors are actively weaponizing a critical unauthenticated remote code execution flaw in Langflow, tracked as CVE-2026-33017 with a CVSS score of 9.3, to hijack exposed AI application endpoints and deploy Monero cryptocurrency miners. According to Trend Micro researchers Simon Dulude and John Zhang, the campaign was observed over a 19-day window between March 27 and April 15, 2026, with attackers specifically scanning the internet for vulnerable Langflow instances. The exploit leverages a single line of Python code evaluated inside an unauthenticated Langflow API endpoint, which pulls down a shell script, downloads a miner binary, and launches it as a detached process. Organizations running Langflow on internet-facing infrastructure should immediately verify their exposure using a port scanner to confirm whether management interfaces are publicly accessible and restrict them with authentication or firewall rules.

The payload, internally named "lambsys," is a Go-compiled ELF binary engineered with deep anti-forensics and anti-competition capabilities. Upon execution, it terminates rival cryptocurrency miner processes associated with Kinsing, WatchDog, Rocke, and Outlaw cryptojacking groups, then deletes their wallet files and key material. It further disables host-level defenses including AppArmor, Ubuntu's Uncomplicated Firewall, iptables, SELinux, the kernel NMI watchdog, and Alibaba Cloud's Aliyun agent. The malware also strips the chattr +i immutable attribute from files such as ~/.ssh/, /etc/crontab, and /etc/ld.so.preload to enable persistence modifications before reapplying it to /tmp/ and /var/tmp/. System logs are wiped to erase evidence of the intrusion, and the malware propagates laterally to every SSH-reachable host the victim can authenticate to using reused SSH keys, effectively turning a single exposed Langflow instance into a launchpad for broader enterprise compromise.

The dropper establishes cron-based persistence and beacons to an external command-and-control server at 83.142.209[.]214:80, from which it fetches a TAR archive containing a bespoke XMRig miner. Network defenders investigating suspicious traffic to this indicator can use a WHOIS lookup to identify associated infrastructure and pivot to other potentially malicious hosts on the same ASN. Once the XMRig miner is extracted and executed, the archive is deleted from disk to minimize forensic artifacts. The binary additionally queries ipinfo[.]io to obtain the host's public IP address and geolocation, data that is likely exfiltrated to inform follow-on targeting decisions. Security teams responding to suspected infections should audit SSH authorized_keys files for unauthorized additions and review cron entries for persistence mechanisms.

Langflow users are strongly urged to patch CVE-2026-33017 without delay, as the unauthenticated nature of the RCE makes any internet-exposed instance trivially exploitable. Defenders should also verify that management UIs are not publicly accessible, enforce network segmentation around AI/ML workloads, and rotate SSH keys that may have been exposed on compromised hosts. Given the campaign's ability to spread via SSH and disable cloud security agents, organizations should treat any confirmed Langflow compromise as a potential full-network intrusion and initiate a thorough incident response process. Proactive exposure management with a SSL/TLS checker and continuous monitoring of outbound traffic to known mining pools and suspicious IPs can help detect this threat before it escalates into a costly cryptojacking operation.