Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert adding two significant, actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The action mandates that Federal Civilian Executive Branch (FCEB) agencies remediate these flaws by a specified deadline. The vulnerabilities are:

• CVE-2026-33017: A critical (CVSS 9.3) unauthenticated remote code execution (RCE) vulnerability in Langflow, a popular open-source framework for building AI applications.
• CVE-2026-33634: An embedded malicious code vulnerability in Aqua Security's Trivy scanner, representing a serious software supply chain compromise. The rapid exploitation of these flaws, especially the Langflow bug, underscores the speed at which threat actors are weaponizing new disclosures. CISA strongly urges all organizations to prioritize patching.

Vulnerability Details

Langflow RCE (CVE-2026-33017)

This vulnerability affects Langflow, an open-source UI for building applications with large language models (LLMs). Its popularity (over 145,000 GitHub stars) makes it a widespread and attractive target.

• CVE ID: CVE-2026-33017
• Severity: Critical
• CVSS Score: 9.3
• Impact: Unauthenticated Remote Code Execution (RCE)
• Description: The flaw allows an attacker with network access to a vulnerable Langflow instance to execute arbitrary code on the server, without needing any credentials. This can lead to a complete takeover of the host system and the AI development environment.

Trivy Supply Chain Compromise (CVE-2026-33634)

This vulnerability represents a classic software supply chain attack, where a trusted security tool was compromised to distribute malware.

• CVE ID: CVE-2026-33634
• Severity: High
• Impact: Malicious Code Execution
• Description: Threat actors managed to embed malicious code within the Trivy vulnerability scanner. When organizations use the compromised version of the tool, the malicious code executes, potentially leading to data theft, ransomware deployment, or further network intrusion.

Exploitation Status

Both vulnerabilities have confirmed evidence of active exploitation in the wild, which is the primary criterion for inclusion in the KEV catalog.

• Langflow (CVE-2026-33017): Exploitation was observed within just 20 hours of its public disclosure, highlighting the extreme speed of modern vulnerability weaponization.
• Trivy (CVE-2026-33634): The supply chain compromise is being actively leveraged to distribute malware to unsuspecting users of the security tool.

Impact Assessment

The impact of these two vulnerabilities is significant and broad:

• Langflow: Compromise of Langflow instances can lead to the theft of sensitive data used in AI models, manipulation of AI application logic, and a pivot point into corporate development networks. This poses a direct threat to organizations investing heavily in AI and LLM technologies.
• Trivy: The supply chain attack on a popular security tool erodes trust and turns a defensive asset into an offensive weapon. It allows attackers to gain an initial foothold in otherwise secure environments, bypassing traditional perimeter defenses. This type of attack is considered a high-risk threat to the entire software ecosystem.

Detection Methods

• For Langflow (CVE-2026-33017):
  • Review web server and application logs for suspicious requests to Langflow endpoints. Look for unusual patterns or payloads that could indicate an RCE attempt.
  • Monitor for unexpected processes being spawned by the Langflow application process on the host server.
• For Trivy (CVE-2026-33634):
  • Verify the integrity of your Trivy scanner binaries. Compare the file hashes of your installed versions against the official hashes provided by Aqua Security.
  • Use EDR and network monitoring to look for anomalous outbound connections or suspicious activity originating from machines where Trivy is executed.

Remediation Steps

Per CISA's Binding Operational Directive (BOD) 22-01, FCEB agencies must patch these vulnerabilities by the specified deadline. CISA strongly recommends all public and private sector organizations do the same.

1. Patch Immediately: Prioritize the deployment of patched versions of Langflow and Trivy across all affected systems. This is the most critical step (M1051 - Update Software).
2. Verify Software Integrity: For Trivy, do not just update; first, verify that your current and past versions are legitimate. If a compromised version was used, assume a breach and initiate incident response procedures.
3. Restrict Access: Limit network access to Langflow instances. Do not expose them to the public internet unless absolutely necessary, and if so, place them behind a properly configured web application firewall (WAF).
4. Audit and Hunt: Proactively hunt for signs of compromise on systems running or having recently run vulnerable versions of this software.