A campaign tracked under Langflow vulnerability CVE-2026-33017 is being actively exploited to steal AWS access keys from compromised Langflow instances and enlist victim systems as workers in a NATS-based botnet. The flaw resides in Langflow, a third-party open-source AI workflow tool, but exposed deployments commonly hold AWS credentials used to wire Langflow into cloud services, making AWS customers running Langflow the primary loot target. Reporting describes ongoing in-the-wild exploitation of internet-exposed Langflow servers, with attackers exfiltrating cloud keys and deploying secondary payloads. AWS customers operating Langflow should patch to the fixed version, audit IAM credentials configured in Langflow flows, rotate any keys that may have been exposed, and review CloudTrail for anomalous activity originating from those keys. This is distinct from prior AWS-related advisories tracked in recent alerts.
// Alert
AWS threat report
// AWSHIGH
// Get alerts for AWS