In March We Said the AI Agent Builder Got Owned in 20 Hours. Langflow Is Now a Serial Target — Iran's MuddyWater Weaponized One, and a Fresh Unauthenticated RCE Is Live in the Wild.

On March 21 we published a post with a blunt title: the AI agent builder got owned in twenty hours. It was about Langflow, the open-source drag-and-drop tool for building LangChain AI agent pipelines, and a critical flaw — CVE-2026-33017, rated 9.3 — that let a single unauthenticated HTTP request turn into full remote code execution. Twenty hours after the advisory dropped, before any public proof-of-concept existed, attackers had built working exploits from the advisory text alone and were inside production instances. We said then that AI-builder platforms were becoming a serious attack surface precisely because they sit at the center of an organization's AI plumbing and hold the keys to it. Three months later that is no longer a prediction; it is a pattern, and this week added a fresh entry that is being exploited right now.

The New One: [CVE-2026-5027](https://analytics.dugganusa.com/api/v1/dredd/kev-gap?cve=CVE-2026-5027)

VulnCheck reports active in-the-wild exploitation of CVE-2026-5027, a path-traversal flaw in Langflow rated 8.8 that is unpatched as of this writing. The mechanism is the kind of bug that should not exist in 2026 and keeps existing anyway: the POST /api/v2/files endpoint does not sanitize the filename field from the multipart upload, so an attacker can use ../ traversal sequences to write a file anywhere on the filesystem, and from arbitrary file write it is a short walk to arbitrary code execution. The detail that turns a serious bug into an urgent one is Langflow's default posture: it ships with unauthenticated auto-login enabled, which means an attacker does not need credentials to reach the vulnerable endpoint. Unauthenticated file write to unauthenticated remote code execution, on a platform people deliberately expose so their teams can build with it. It was disclosed by Tenable back on March 27 after a series of failed disclosure attempts, which means the window between "known" and "exploited" has been open for weeks.

Langflow Is Now A Serial Target, Not An Unlucky One

Here is the part that matters more than any single CVE, and it is the same shape we keep documenting across SolarWinds Serv-U, SAP NetWeaver, and Veeam: Langflow is a repeat name. CVE-2026-5027 is not an isolated bad week; it lands on top of CVE-2026-0770, our old friend CVE-2026-33017, CVE-2026-21445, and CVE-2025-34291 — the last of which was added to CISA's Known Exploited Vulnerabilities catalog and, more pointedly, was weaponized by MuddyWater, the Iranian state-sponsored group we track. When a nation-state intelligence operation is exploiting holes in your AI-pipeline builder, the conversation is no longer about a hobbyist tool with rough edges. It is about a class of software that has quietly become critical infrastructure for how organizations build with AI, and that is accumulating internet-reachable, frequently-unauthenticated remote-code-execution bugs at a rate that puts it in the same category as the file-transfer servers and the backup appliances attackers have always loved.

The reason AI-builder platforms attract this is structural and worth naming. Langflow is the visual front end to your AI agents, which means it is wired into your model API keys, your vector stores, your data sources, and the credentials that let an agent act. Owning the builder is not owning a dev tool; it is owning the control plane for everything the AI touches, plus the keys to bill against your model provider. That is an extraordinarily high-value target wrapped in a friendly drag-and-drop interface that teams are encouraged to stand up quickly and, too often, expose to the network so collaborators can reach it. The convenience and the danger are the same property, exactly as they are for the browser and the service desk and the backup server.

What A Defender Does

Treat your Langflow instances as crown-jewel infrastructure, because that is what they are. Get current the moment a fix for CVE-2026-5027 ships, and until then, the highest-value mitigations are configuration, not code: do not expose Langflow to the internet, put it behind authentication and a network boundary that assumes the application layer is hostile, and turn off the unauthenticated auto-login default that makes the current bug a no-credentials attack. Hunt your logs for anomalous POST requests to /api/v2/files and for files appearing in locations the application should never write to. And take the broader inventory question seriously: most organizations do not have a clear list of where their AI-builder and AI-agent platforms are running, who can reach them, and what keys they hold — and you cannot defend the control plane for your AI if you do not know where it is. We flagged this surface in March when Langflow was owned in twenty hours. The five-CVE pile and the Iranian state actor on the list are what "we told you so" looks like when it stops being a warning and becomes a standing condition.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register