Langflow servers under attack as critical vulnerabilities spread across LangChain framework

If you’re building AI agents with Langflow, here’s your wake-up call. Roughly 7,000 publicly exposed Langflow server instances are actively being targeted by attackers exploiting a chain of critical remote code execution vulnerabilities, some of which share DNA with flaws found in the broader LangChain and LangGraph frameworks.

The situation is bad enough that CISA has added multiple Langflow CVEs to its Known Exploited Vulnerabilities catalog.

What’s actually being exploited

The most recent vulnerability in the spotlight is CVE-2026-5027, a path traversal flaw lurking in Langflow’s file upload functionality. It carries a CVSS score of 8.8 out of 10. An unauthenticated attacker can write arbitrary files to a server by sending a crafted POST request to the /api/v2/files endpoint with unsanitized filenames. That file-write capability cascades into full remote code execution and total system compromise.

CVE-2026-33017, disclosed in March 2026, enabled unauthenticated remote code execution through the platform’s public flow build endpoint. Exploits for that one appeared within 20 hours of disclosure.

CVE-2025-3248, which affected Langflow versions prior to 1.3.0, was so widely exploited that it led to the deployment of the Flodrix botnet. CISA added that vulnerability to its KEV catalog in May 2025, meaning federal agencies were required to patch it under binding operational directives.

The LangChain and LangGraph connection

Langflow is a visual development tool built on top of the LangChain ecosystem, which includes LangGraph for building stateful AI agent workflows. Separate high-severity vulnerabilities disclosed in LangChain and LangGraph in March 2026 carry a CVSS score of 9.3. LangChain and LangGraph collectively see over 60 million weekly downloads. The compounding nature of these vulnerabilities means that organizations running Langflow on top of affected LangChain or LangGraph versions face multiple attack surfaces simultaneously.

Why so many servers are exposed

The roughly 7,000 vulnerable Langflow instances are primarily located in North America. A significant contributing factor is default auto-login configurations. Many deployments appear to have been stood up for experimentation and then left running with internet-facing endpoints and no authentication requirements.

When security researchers measure time-to-exploit in hours rather than days, the traditional patch cycle cannot keep up. Organizations that rely on weekly or monthly patch windows are essentially running with open doors.

What this means for the AI infrastructure market

If you’re running Langflow in production, you need to patch immediately, disable auto-login, and restrict network access to your instances.

The pattern of rapid exploitation targeting Langflow specifically, with attackers weaponizing new CVEs within hours, suggests that threat actors have identified AI development platforms as high-value, low-resistance targets. These servers often have access to sensitive data pipelines, API keys for large language models, and connections to production databases.

The 7,000 exposed instances are a preview of what happens when ease of use outpaces security awareness, and that gap is widening as AI tooling becomes more accessible to non-security-minded developers.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.