CISA Warns: Langflow RCE & Trivy Supply Chain Attack

CISA Adds Langflow RCE and Trivy Supply Chain Flaw to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added two high-severity vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2026-33017, a critical remote code execution flaw in the AI workflow framework Langflow, and CVE-2026-33634, an embedded malicious code vulnerability tied to a sophisticated supply chain attack against Aqua Security's Trivy scanner. Federal civilian agencies have been mandated to remediate both flaws by April 8 and 9, 2026, respectively. The incidents together paint a stark picture of how quickly the threat landscape can shift — and how interconnected modern software supply chains truly are.

CVE-2026-33017: Critical Remote Code Execution in Langflow

Langflow is an open-source framework widely used for building AI agents and automated workflows. CVE-2026-33017 is a critical code injection vulnerability affecting Langflow versions 1.8.2 and earlier. The flaw exists in a public flow build endpoint and can be exploited by unauthenticated attackers to remotely execute arbitrary code on a vulnerable instance — no credentials required.

A detailed security advisory was published on GitHub on March 17, 2026. What happened next underscores one of the most alarming trends in modern vulnerability exploitation.

Weaponized in Under 20 Hours — Without a Public PoC

According to the Sysdig Threat Research Team (TRT), attackers began exploiting CVE-2026-33017 within 20 hours of the advisory's publication — and critically, no public proof-of-concept (PoC) code existed at the time. Threat actors reverse-engineered a working exploit directly from the advisory's written description and immediately began scanning the internet for vulnerable Langflow instances.

"The collapse from months-long exploitation timelines to same-day weaponization is a structural shift in how vulnerabilities are exploited today. Organizations that rely on scheduled patch cycles to address critical vulnerabilities are operating on a timeline that attackers have already outpaced."

— Sysdig Threat Research Team

The consequences were serious. Exfiltrated data included API keys and credentials, which provided attackers access to connected databases and created the potential for further software supply chain compromise downstream.

A Familiar Vulnerability Class Returns

The flaw was discovered by researcher Aviral Srivastava while investigating how Langflow maintainers patched CVE-2025-3248, a previously exploited vulnerability in the same codebase. By examining the fix, Srivastava identified the same vulnerability class present on a different endpoint — a technique known as variant analysis. This raises the possibility that sophisticated threat actors may have followed an identical analytical path, further compressing the window between patch release and active exploitation.

CVE-2026-33634: The Trivy Supply Chain Compromise

The second KEV addition covers a fundamentally different — and in many ways more dangerous — type of attack. CVE-2026-33634 was assigned to track the ramifications of a coordinated supply chain attack against Aqua Security's Trivy, one of the most widely used open-source container and infrastructure security scanners.

The attack, attributed to the threat actor group TeamPCP, occurred on March 19, 2026, and was multi-pronged in scope:

A malicious Trivy v0.69.4 release was published to official distribution channels
Version tags in aquasecurity/trivy-action were force-pushed to point to credential-stealing malware
All tags in aquasecurity/setup-trivy were replaced with malicious commits
Malicious Trivy Docker images were pushed to Docker Hub

Cascade Effect: LiteLLM Also Compromised

The Trivy compromise did not stop at Aqua Security's ecosystem. The attack is believed to have directly triggered a secondary supply chain attack against LiteLLM, a popular open-source LLM proxy and gateway, resulting in compromised LiteLLM packages being published to PyPI.

The scale of potential impact is significant. According to Wiz researchers, LiteLLM is present in 36% of cloud environments they actively monitor. BerriAI, the company behind LiteLLM, has paused all new package releases and engaged Mandiant to conduct a comprehensive supply chain security review.

International Fallout and BSI Alert

The incident drew attention beyond the United States. Germany's Federal Office for Information Security (BSI) issued a public alert stating that a number of organizations reported compromises linked to the Trivy attack. The BSI noted that, based on current information, no data exfiltration is believed to have occurred in the reported German cases — though investigations remain ongoing.

Aqua Security has published remediation guidance for affected users and developers, and has indicated a fuller update on their investigation is forthcoming.

What Organizations Should Do Right Now

Both incidents demand immediate action, particularly for organizations operating in cloud-native or AI-driven environments. Key steps include:

Patch Langflow immediately — upgrade beyond version 1.8.2 and audit any exposed flow build endpoints for signs of unauthorized access
Audit Trivy usage — check CI/CD pipelines, GitHub Actions workflows, and Docker environments for references to the compromised versions (v0.69.4, affected tags in trivy-action and setup-trivy)
Review LiteLLM deployments — follow BerriAI's published remediation instructions and treat any recently installed PyPI packages with suspicion
Rotate credentials — any secrets, API keys, or tokens accessible from environments running the compromised software should be considered potentially exposed and rotated immediately
Implement runtime detection — as Sysdig noted, scheduled patch cycles are no longer sufficient; runtime monitoring and network segmentation are essential for catching exploitation before damage is done

Conclusion: The Speed of Exploitation Has Permanently Changed

These two KEV additions are more than a policy obligation for federal agencies — they are a signal to the entire security community. The sub-24-hour exploitation of CVE-2026-33017 without a public PoC, and the cascading supply chain damage from the Trivy compromise, reflect the reality of today's threat environment: attackers are faster, more systematic, and increasingly focused on high-leverage targets like security tooling and AI infrastructure.

The lesson is clear. Relying on periodic patch windows, trusting the integrity of developer tooling without verification, and treating supply chain risk as a secondary concern are no longer defensible postures. Organizations must invest in continuous monitoring, software composition analysis, rapid incident response, and runtime detection — or risk being on the wrong side of an exploitation timeline that attackers have already mastered.