Summary

CISA has placed two high-severity flaws on its Known Exploited Vulnerabilities (KEV) catalog: CVE-2026-33017, a critical unauthenticated remote code execution bug in the Langflow AI workflow framework, and CVE-2026-33634, an embedded-malicious-code issue stemming from a supply chain compromise of Aqua Security's Trivy scanner. Federal civilian agencies must remediate the two flaws by April 8 and April 9, 2026, respectively. The Langflow bug was weaponized in under a day with no public exploit available, while the Trivy attack rippled outward into other widely used open-source projects — together illustrating how fast and how interconnected today's software supply chains have become.

CVE-2026-33017: Unauthenticated RCE in Langflow

Langflow is a popular open-source toolkit for assembling AI agents and automated workflows. The vulnerability is a critical code-injection flaw that affects Langflow version 1.8.2 and all earlier releases. It lives in a publicly reachable flow build endpoint, and because no authentication is required, an attacker on the network can trigger arbitrary code execution on an exposed instance without any credentials.

A full security advisory landed on GitHub on March 17, 2026. What followed has become a textbook example of how compressed modern exploitation timelines have grown.

From advisory to active exploitation in under 20 hours

The Sysdig Threat Research Team (TRT) reported that adversaries were already exploiting CVE-2026-33017 within 20 hours of the advisory going live — and there was no public proof-of-concept in circulation at that point. Attackers reconstructed a functioning exploit purely from the written technical description in the advisory, then began sweeping the internet for reachable Langflow deployments.

As Sysdig put it:

"The collapse from months-long exploitation timelines to same-day weaponization is a structural shift in how vulnerabilities are exploited today. Organizations that rely on scheduled patch cycles to address critical vulnerabilities are operating on a timeline that attackers have already outpaced."

The fallout was tangible. Stolen data included API keys and credentials, which in turn handed attackers reach into connected databases and opened the door to further downstream supply chain compromise.

A known vulnerability class, surfacing again

Researcher Aviral Srivastava found the flaw while studying how the Langflow maintainers had fixed CVE-2025-3248, an earlier exploited bug in the same project. Reviewing that patch, Srivastava noticed the identical vulnerability class persisted on a different endpoint — an approach known as variant analysis. The concern is that capable threat actors could have walked the same analytical path, shrinking the gap between a patch shipping and exploitation beginning even further.

CVE-2026-33634: The Trivy supply chain compromise

The second KEV entry tracks a categorically different — and arguably more dangerous — kind of incident. CVE-2026-33634 documents the consequences of a coordinated supply chain attack against Aqua Security's Trivy, one of the most widely deployed open-source scanners for containers and infrastructure.

Attributed to the threat group TeamPCP and dated March 19, 2026, the operation hit multiple distribution channels at once:

  • A malicious Trivy v0.69.4 release was pushed to official distribution channels.
  • Version tags in aquasecurity/trivy-action were force-pushed to point at credential-stealing malware.
  • Every tag in aquasecurity/setup-trivy was overwritten with malicious commits.
  • Malicious Trivy Docker images were uploaded to Docker Hub.

Knock-on effect: LiteLLM compromised too

The damage didn't stay contained to Aqua Security's ecosystem. Investigators believe the Trivy breach directly seeded a follow-on supply chain attack against LiteLLM — a widely used open-source LLM proxy and gateway — which led to malicious LiteLLM packages being published to PyPI.

The blast radius is considerable: Wiz researchers say LiteLLM appears in 36% of the cloud environments they monitor. BerriAI, the company behind LiteLLM, has halted all new package releases and brought in Mandiant for a full supply chain security review.

International response and a BSI alert

The incident reached well beyond the US. Germany's Federal Office for Information Security (BSI) issued a public warning that several organizations had reported compromises tied to the Trivy attack. The BSI stated that, on current information, no data exfiltration is believed to have occurred in the German cases, though the investigations are still open. Aqua Security has released remediation guidance for affected users and developers and says a more complete update on its investigation is coming.

What to do right now

Both incidents call for immediate action, especially for teams running cloud-native or AI-driven stacks.

  • Patch Langflow now. Upgrade past version 1.8.2 and audit any internet-facing flow build endpoints for evidence of unauthorized access.
  • Audit Trivy usage. Inspect CI/CD pipelines, GitHub Actions workflows, and Docker environments for references to the compromised artifacts — v0.69.4, and the affected tags in trivy-action and setup-trivy.
  • Review LiteLLM deployments. Follow BerriAI's published remediation steps and treat any recently installed PyPI packages as suspect.
  • Rotate credentials. Any secrets, API keys, or tokens reachable from systems that ran the compromised software should be treated as potentially exposed and rotated.
  • Add runtime detection. As Sysdig stressed, scheduled patch windows alone no longer cut it — runtime monitoring and network segmentation are essential to catch exploitation before it does damage.

Technical background: variant analysis and supply chain trust

The Langflow case is a clean illustration of variant analysis — taking a known fix and hunting for the same flawed pattern elsewhere in the codebase. When a project patches one instance of, say, unsanitized input flowing into a code-execution path, the same anti-pattern frequently survives on sibling endpoints. Defenders and attackers alike can grep a repository for the vulnerable construct after a patch lands. A simple starting point is comparing the fix commit against the rest of the tree:


# Inspect what a security fix actually changed
git show <fix-commit-sha>

# Then search the codebase for the same risky pattern elsewhere
grep -rn "exec\|eval\|compile\|subprocess" --include="*.py" .

The Trivy incident highlights the other major exposure: implicit trust in mutable references. Git tags and latest-style Docker tags can be force-pushed or re-pointed, so pinning to a tag is not the same as pinning to known-good code. Pin GitHub Actions to a full commit SHA rather than a tag, and pin container images by digest:


# Fragile — a tag can be force-pushed to malicious code
- uses: aquasecurity/trivy-action@v0.69.4

# Safer — pin to an immutable commit SHA
- uses: aquasecurity/trivy-action@<full-40-char-commit-sha>

# Pin a container image by immutable digest, not a mutable tag
docker pull aquasecurity/trivy@sha256:<digest>

These generic practices won't undo a compromise that has already happened, but combined with credential rotation and runtime monitoring they shrink the window an attacker can operate in.

The takeaway

These two KEV additions are more than a compliance checkbox for federal agencies. The sub-24-hour exploitation of CVE-2026-33017 with no public PoC, and the cascading supply chain damage from the Trivy compromise, capture where the threat landscape now sits: attackers are quicker, more methodical, and increasingly aimed at high-leverage targets such as security tooling and AI infrastructure. Periodic patch windows, blind trust in developer tooling, and treating supply chain risk as an afterthought are no longer defensible. Continuous monitoring, software composition analysis, fast incident response, and runtime detection are the difference between staying ahead of an exploitation timeline and getting caught on the wrong side of it.

References: CISA KEV alert (CVE-2026-33017) · NVD — CVE-2026-33017 · CVE.org — CVE-2026-33017