CISA sounds alarm on Langflow RCE, Trivy supply chain compromise after rapid exploitation
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities catalog:
- CVE-2026-33017, a recently disclosed code injection vulnerability in Langflow, an open-source framework for building AI agents and workflows, and
- CVE-2026-33634, an embedded malicious code vulnerability in Aqua Security’s Trivy security scanner.
Their addition to the catalog means that US federal civilian agencies are required to address the flaws within their networks by April 8 and 9, respectively.
About CVE-2026-33017
CVE-2026-33017 is a critical vulnerability stemming from several security weaknesses and affects Langflow versions 1.8.2. and earlier. It may allow unauthenticated attackers to remotely execute code on a Langflow instance via a public flow build endpoint.
A very detailed security advisory for CVE-2026-33017 was made broadly visible on GitHub on March 17, 2026, and apparently had enough information for attackers to develop an exploit and start using it.
“Within 20 hours of the advisory’s publication, the Sysdig Threat Research Team (TRT) observed the first exploitation attempts in the wild,” the cloud security company shared.
“No public proof-of-concept (PoC) code existed at the time. Attackers built working exploits directly from the advisory description and began scanning the internet for vulnerable instances. Exfiltrated information included keys and credentials, which provided access to connected databases and potential software supply chain compromise.”
The occurrence serves as another confirmation of the shrinking window between “advisory publication” and “active exploitation”, Sysdig researchers noted.
“The collapse from months-long exploitation timelines to same-day weaponization is a structural shift in how vulnerabilities are exploited today. Organizations that rely on scheduled patch cycles to address critical vulnerabilities are operating on a timeline that attackers have already outpaced. Runtime detection, network segmentation, and rapid response capabilities are essential to bridging the gap between disclosure and remediation.”
It should be pointed out that Aviral Srivastava, the discoverer of CVE-2026-33017, unearthed the flaw while checking out how Langflow maintainers fixed CVE-2025–3248, a previously exploited vulnerability in the same code base.
This allowed him to pinpoint the same class of vulnerability, but on a different endpoint. It’s therefore also possible (though less likely) that attackers followed a similar approach.
About CVE-2026-33634
The CVE-2026-33634 identifier has been assigned to allow security teams to follow the ramifications of the Trivy supply chain compromise.
This compromise, which has been attributed to TeamPCP, happened on March 19, 2026, and allowed attackers to:
- Publish a malicious Trivy v0.69.4 release
- Force-push version tags in ‘aquasecurity/trivy-action’ to credential-stealing malware
- Replace all tags in ‘aquasecurity/setup-trivy’ with malicious commits
- Push out malicious trivy images on Docker Hub.
It also likely led to the LiteLLM supply chain attack, which resulted in compromised LiteLLM packages being published on PyPI.
Aqua Security outlined the incident and advised on recommended action for those that have been affected, and is expected to provide a meaningful update on their investigation in the coming days.
BerriAI, the creators of LiteLLM, have paused the release of new LiteLLM packages, and they’ve called in Mandiant to do a complete supply chain security review. According to Wiz researchers, LiteLLM is present in 36% of cloud environments they monitor, “signifying the potential for widespread impact.”
Both organizations have provided remediation instructions for affected users and developers.
In a public alert, the German Federal Office for Information Security (BSI) said that a number of compromises were reported them in the wake of and related to the Trivy attack. “According to current information, no data is believed to have been exfiltrated,” they said.
source: HelpNetSecurity
