CISA Adds Langflow RCE and Trivy Supply Chain Attack to Known Exploited Vulnerabilities List

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog by adding two actively exploited security issues that organizations should prioritize immediately.

The newly listed vulnerabilities are:

  • CVE-2026-33017 – A critical remote code execution (RCE) vulnerability affecting the Langflow AI workflow platform.
  • CVE-2026-33634 – A supply chain compromise involving Aqua Security's Trivy vulnerability scanner.

Because these vulnerabilities are now included in CISA's KEV catalog, U.S. federal civilian agencies are required to remediate them within the agency-defined deadlines. Their inclusion also serves as a strong signal for private organizations to assess their exposure and apply mitigations without delay.

Critical Langflow Vulnerability Enables Remote Code Execution

CVE-2026-33017 impacts Langflow version 1.8.2 and earlier, an open-source platform used to build AI agents and workflow automation.

The vulnerability is caused by multiple security weaknesses that allow an unauthenticated attacker to execute arbitrary code through a publicly accessible flow build endpoint. Successful exploitation could provide attackers with complete control over a vulnerable Langflow instance.

Exploitation Began Within Hours

A detailed security advisory describing the vulnerability became publicly available on GitHub on March 17, 2026. Although no proof-of-concept exploit had been released, attackers rapidly developed working exploits directly from the technical details contained in the advisory.

Security researchers at Sysdig Threat Research Team (TRT) observed exploitation attempts less than 20 hours after the advisory was published.

According to their findings, attackers were scanning the internet for exposed Langflow servers and attempting to steal:

  • API keys
  • Authentication credentials
  • Database connection details
  • Other sensitive secrets

Compromised credentials could then be used to access connected infrastructure or facilitate additional supply chain attacks.

Faster Exploitation Timelines

This incident highlights a growing trend across the cybersecurity landscape: the time between public disclosure and active exploitation continues to shrink.

Organizations relying solely on routine patch cycles may struggle to respond before attackers begin exploiting newly disclosed vulnerabilities.

Security teams should combine timely patching with additional defensive measures such as:

  • Runtime threat detection
  • Network segmentation
  • Continuous monitoring
  • Rapid incident response capabilities

Discovery of the Vulnerability

Interestingly, the vulnerability was discovered by security researcher Aviral Srivastava while reviewing the fix for CVE-2025-3248, another previously exploited Langflow vulnerability.

During the code review, the researcher identified a similar security flaw affecting a different endpoint, demonstrating how incomplete fixes can sometimes leave related attack paths exposed.

Trivy Supply Chain Compromise Tracked as CVE-2026-33634

CISA also added CVE-2026-33634, which tracks the widespread supply chain compromise affecting Aqua Security's Trivy vulnerability scanner.

Rather than being a traditional software vulnerability, this CVE documents a malicious compromise of Trivy's software distribution process.

What Happened?

The compromise occurred on March 19, 2026 and has been attributed to the threat group TeamPCP.

Attackers successfully:

  • Published a malicious Trivy v0.69.4 release
  • Force-pushed compromised version tags to the aquasecurity/trivy-action GitHub repository
  • Replaced tags in the aquasecurity/setup-trivy repository with malicious commits
  • Distributed compromised Trivy container images through Docker Hub

These malicious releases were designed to steal credentials from systems using the affected software.

Possible Connection to LiteLLM

Security researchers believe the Trivy compromise likely contributed to the LiteLLM supply chain attack, during which malicious LiteLLM packages were published to PyPI.

Following the incident:

  • Aqua Security released remediation guidance and continues its investigation.
  • The LiteLLM development team temporarily suspended new package releases.
  • Cybersecurity firm Mandiant was engaged to perform a full supply chain security review.

According to researchers at Wiz, LiteLLM is present in approximately 36% of the cloud environments they monitor, highlighting the potentially broad impact of the incident.

International Response

Germany's Federal Office for Information Security (BSI) also issued a public advisory after receiving reports of organizations affected by the Trivy compromise.

While several compromises have been reported, current investigations indicate there is no evidence that sensitive data was exfiltrated during the attacks.

Recommended Actions

Organizations using Langflow or Trivy should act immediately.

For Langflow deployments:

  • Upgrade to the latest secure version.
  • Remove public exposure of unnecessary endpoints.
  • Rotate any credentials that may have been accessible.
  • Monitor logs for signs of unauthorized access.

For Trivy users:

  • Verify installed versions and GitHub Actions.
  • Replace any compromised releases with trusted versions.
  • Rotate credentials that may have been exposed.
  • Review CI/CD pipelines for indicators of compromise.
  • Follow remediation guidance published by Aqua Security.

Final Thoughts

These two incidents demonstrate how quickly attackers capitalize on newly disclosed vulnerabilities and how damaging software supply chain compromises can become.

Modern security programs should combine rapid vulnerability management with continuous monitoring, runtime protection, and strong supply chain security practices. As the window between disclosure and exploitation continues to shrink, proactive defense is becoming just as important as timely patching.

 

Contact WEBSITETOON's cybersecurity team if you need help with addressing this vulnerability