Three Langflow CVEs in Two Weeks. CISA Says Active Exploitation. We Have the IPs.

Langflow is the visual builder for LangChain agents. It's how a lot of teams stand up AI workflows without writing the orchestration code themselves. It's also, as of tonight, sitting on three critical CVEs in two weeks — and CISA is warning about active exploitation on one of them.

We have six active exploiter IPs in our index. Two of them are running custom exploits with stage-2 droppers. One is harvesting credentials. The other four are running nuclei against everything that responds.

If you have a Langflow instance reachable from the internet, stop reading this and pull the plug. Then come back.

The Three CVEs

CVE-2026-0770 — default credentials. The exploit just walks in the front door with langflow/langflow. Detection rule indexed: login attempts with the default cred pair.

CVE-2026-33017 — the CISA one. Critical RCE. Two PoC repos on GitHub already (one of them is masterwok/CVE-2026-33017-Langflow-POC). CISA put out the active exploitation warning. Third AI framework CVE in a single week.

CVE-2026-5027 — dropped today. Path traversal that chains to cron injection for persistence. Two weaponized PoCs already public: EQSTLab/CVE-2026-5027 and 0xBlackash/CVE-2026-5027. Target endpoints are /api/v2/login, /api/v2/auth, /api/v2/files. RCE patterns hit /bin/sh and /bin/bash. SQLi patterns also confirmed.

Three CVEs, two weeks, one product. That's not a vulnerability. That's a category failure.

The Active Exploiters

These IPs are in our STIX feed right now:

77.110.106.154 — AEZA GROUP LLC (DE). Nuclei scanner. Russian-adjacent hosting that keeps showing up in our indexes for the wrong reasons.

209.97.165.247 — DigitalOcean Singapore. Nuclei scanner.

188.166.209.86 — DigitalOcean Singapore. Nuclei scanner. Same pool as the one above.

205.237.106.117 — PUSHPKT OU (FR). Nuclei scanner.

83.98.164.238 — Accenture B.V. (NL). This one is not a nuclei scanner. It's running a custom exploit with reconnaissance and a stage-2 dropper. Whoever is on this box is past the point of mass scanning. They are picking targets and dropping payloads.

173.212.205.251 — Contabo (FR). Credential harvesting and dropper hosting. They are not just exploiting. They are warehousing what they steal.

The split between commodity scanners (nuclei) and custom tooling (stage-2 droppers, credential harvesting) tells you the campaign has multiple actors at multiple sophistication levels. The script kiddies are spraying. The professionals are picking.

Why AI Framework CVEs Keep Hitting

CVE-2026-5027 is the third Langflow CVE in two weeks. Last month it was n8n — Datavant got hit through an n8n exploit that was on the CISA KEV list. Before that it was Flowise. Before that it was AnythingLLM.

Self-hosted AI agent frameworks are the new IoT cameras. The pattern is exactly the same:

1. Product ships fast because the AI race rewards speed.

2. Auth is bolted on as an afterthought because the demos work without it.

3. The framework needs to execute code (that is the point of an agent).

4. Code execution plus weak auth equals RCE.

5. Repeat for every new framework that ships this quarter.

The AI framework attack surface is going to look exactly like the IoT camera attack surface in eighteen months. We are watching it happen in real time.

What To Do Tonight

If you run Langflow:

1. Pull it off the public internet. Now. Even if you have not patched.

2. Rotate every credential the instance has touched.

3. Check /api/v2/login, /api/v2/auth, and /api/v2/files request logs for the IPs above.

4. Look for cron entries you did not create. CVE-2026-5027 chains to cron injection for persistence.

5. Look for /bin/sh or /bin/bash invocations from the Langflow process.

6. Patch when the patch ships. Until then, the firewall is your patch.

If you do not run Langflow but you run any self-hosted AI agent framework:

1. Audit what is actually internet-reachable. You probably do not know.

2. Default-deny inbound on the framework port. Make exceptions only for the IPs that need to talk to it.

3. Subscribe to a feed that gets you these IPs before the press release.

The Feed

Our STIX feed has all six exploiter IPs above. It is at analytics.dugganusa.com/api/v1/stix-feed. It is free for under 500 queries a day. We do not gate this stuff because the speed gap between vendor blog and active exploitation is what gets people breached.

If your SIEM cannot consume STIX, the IOCs are also at:

• analytics.dugganusa.com/api/v1/stix-feed/ips.csv

• analytics.dugganusa.com/api/v1/stix-feed/hashes.csv

• analytics.dugganusa.com/api/v1/stix-feed/domains.csv

Pull from a script. Block at the firewall. Cost of the firewall block is zero. Cost of the breach is everything.

What This Says About AI Infrastructure Maturity

We are eighteen months into the agent framework era and the security model is roughly where IoT cameras were in 2014. Default credentials. RCE by design. Persistence via cron. The same patterns that took the camera industry a decade to half-fix are showing up in the framework that runs your customer support bot.

The fix is not "patch faster." The fix is treating self-hosted AI infrastructure as critical infrastructure from day one. Auth before identity. Network isolation by default. Audit logging that is not optional. The boring controls. The same ones that would have prevented Datavant.

We are going to be writing this same post about a different framework next month. And the month after. The only thing that changes is the CVE number.

Coda

Three CVEs. Two weeks. Six active exploiters in our index. A CISA warning we did not have to wait for because we were looking at the GitHub PoC repos in real time.

The boring architecture is the safe architecture. The unboring AI framework is going to keep getting people breached until somebody bolts on the boring parts.

— DugganUSA LLC, Minneapolis MN

Verify with `curl analytics.dugganusa.com/api/v1/search?q=CVE-2026-5027`. Free tier, no signup required. We make the keys.

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →