In a chilling demonstration of how AI convenience can compromise cloud security, attackers are now actively exploiting CVE-2026-33017—a critical vulnerability in Langflow. By targeting this open-source AI orchestration tool, threat actors are bypasssing logins to steal AWS access keys and conscripting servers into a sophisticated new botnet.
First added to the CISA KEV catalog in March 2026, this unauthenticated remote code execution (RCE) flaw has become a “golden ticket” for hackers looking to fund their operations through “LLM-jacking” and credential theft.
How the Attack Works: From API to AWS
Researchers from Sysdig recently tracked a campaign where an attacker gained full control of a Langflow instance in under 30 minutes.
The Attack Chain:
- The Entry: The attacker hits a public, unauthenticated endpoint (
/api/v1/build_public_tmp/) to execute commands directly within the Langflow container. - The Heist: Using simple environment commands, the attacker dumps sensitive variables, instantly exposing AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
- The Pivot: With keys in hand, the attacker performs a “cloud sweep,” enumerating S3 buckets and EC2 instances before moving to AWS Bedrock to run expensive AI models on the victim’s dime.
“KeyHunter”: The NATS-Powered Botnet
This is more than a simple data breach. Attackers are installing a toolset called KeyHunter to turn compromised hosts into permanent workers.
- The Malware: A Python-based worker and a Go binary are deployed to systematically scrape the web and cloud sandboxes for even more API keys (OpenAI, Anthropic, etc.).
- The Command Center: Unlike traditional botnets that use web panels, KeyHunter uses a NATS message broker for command and control (C2). This allows the operator to queue tasks and receive stolen data in real-time through an encrypted, high-speed messaging channel.
- Persistence: A deployment script ensures the malware runs as a system service, allowing it to survive reboots and maintain a long-term foothold.
Critical Indicators of Compromise (IoCs)
Security teams should immediately monitor for these signals:
- C2 Server:
45.192.109.25:14222(NATS Broker) - Staging Server:
159.89.205.184:8888(Malware Hosting) - Python Worker (SHA-256):
323bbf3064d4b83df7920d752636b1acb36f462e58609a815bd8084d1e6 - KeyHunter Activity: Look for unauthorized calls to the
sts:GetCallerIdentityAWS API.
How to Protect Your AI Infrastructure
If you are running Langflow, the time to act is now.
- Patch Immediately: Update Langflow to the latest version to close the CVE-2026-33017 endpoint.
- Rotate All Keys: If your instance was internet-facing, assume it is compromised. Rotate your AWS, OpenAI, and Hugging Face keys immediately.
- Restrict Egress: Configure your firewall to ensure AI tools can only talk to known LLM endpoints, blocking outbound traffic to unknown IP addresses or NATS ports (e.g., 14222
