Langflow Got Hit in 20 Hours — Here's the Pattern That Keeps Repeating

Last week, a critical RCE dropped for Langflow (CVE-2026-33017). By the time most developers read the advisory, active exploitation had already been running for 20 hours. No public PoC existed. Attackers read the advisory description, built working exploits from scratch, and started scanning the internet for vulnerable instances — all before most teams could schedule a patching window. This is becoming the normal timeline for AI infrastructure CVEs. What happened The bug lives in /api/v1/build_public_tmp/{flow_id}/flow. This endpoint is intentionally unauthenticated — it's designed to serve public flows without login. But it also accepts an optional data parameter that lets callers supply their own flow definition. That flow definition can contain arbitrary Python code in the node definitions. The server passes it to exec() with zero sandboxing. One HTTP POST request. No authentication. Full server-level code execution. curl -X POST https://your-langflow-instance.com/api/v1/build_publi