Langflow CVE-2026-33017 Exploited to Steal AWS Keys, Deploy NATS Worker

Langflow instances left unpatched against CVE-2026-33017 are now being actively abused not just for remote code execution, but as launchpads to steal AWS keys and join a NATS-backed botnet-style worker pool dubbed “KeyHunter.”

The vulnerability, now listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, affects Langflow public flow-building endpoint and allows arbitrary Python execution without authentication, giving attackers full access to environment variables and application secrets.

In this incident, the operator first probed an LMDeploy instance and a LiteLLM surface over roughly 10 hours, then turned to Langflow as the final step in a credential-harvest-and-replay cycle.

At 09:12 UTC, the threat actor successfully exploited CVE-2026-33017 against the Langflow target’s public flow API, dumping the process environment and directly extracting AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY from memory.

On May 5, 2026, the Sysdig Threat Research Team (TRT) observed an attacker exploiting Langflow’s unauthenticated RCE vulnerability, CVE-2026-33017, to seize control of an AI pipeline and pivot into the victim’s AWS environment.

Within minutes, the attacker invoked sts:GetCallerIdentity with those credentials to confirm they were valid, then fanned out across AWS Bedrock, S3, EC2, Lambda, IAM, and other services in a classic scoped-key reconnaissance sweep.

Bedrock-specific calls such as Bedrock:InvokeModel and Bedrock:ListModelInvocationJobs show the operator attempting “LLMjacking” hijacking access to premium foundation models like Claude and Llama 3 to run high-cost inference workloads on someone else’s cloud bill.

Langflow CVE-2026-33017 Exploited

Where this campaign stands out is not the AWS reconnaissance pattern, but the attacker’s choice of command-and-control: a hardened NATS server running as covert C2 infrastructure.

A single worker could scrape shared code snippets from platforms like CodePen, JSFiddle, StackBlitz, and CodeSandbox, harvest leaked API keys, and verify both AWS and commercial LLM keys before reporting them back to the operator.

Instead of HTTP panels or chat apps like Discord and Telegram, the operator used a NATS endpoint at 45.192.109.25:14222, configured with authentication and subject-level Access Control Lists (ACLs), to coordinate worker nodes in their KeyHunter project.

Sysdig’s telemetry captured the download of a Python worker and a Go-based worker binary from 159.89.205.184, both wired to NATS and branded as KeyHunter, a name borrowed from an open-source key discovery tool.

The Python worker advertised four capabilities scan_cde, scan_web, validate_aws, and validate_ai which doubled as NATS subjects (task.scan_cde, task.scan_web, task.validate_aws, task.validate_ai) and mapped to distinct monetization channels spanning cloud dev environments and AI API providers.

The NATS server itself enforced strict subject-level permissions, limiting what a compromised worker could publish or subscribe to.

When the Python worker tried to send a heartbeat on heartbeat.worker, the server rejected it with a “permissions violation for publish” error, prompting the operator to inject a quick enumeration script via the exploit channel to brute-force which subjects the worker role could use.

The resulting list heartbeat.worker, worker.hb, worker.heartbeat, several result.* subjects, and workers.heartbeat showed that the role was confined to heartbeats and result publication only, with no ability to subscribe to control subjects or spy on other workers’ traffic.

This design applies the principle of least privilege at the C2 layer: even if defenders hijack a worker node, they cannot easily pivot into the NATS bus or impersonate the controller.

The Go worker further relied on NATS JetStream pull consumers with explicit acknowledgments, ensuring tasks are durably queued and re-delivered if a node crashes or is taken offline.

Combined with a systemd-based installer (deploy.sh) that sets Restart=always and raises file-descriptor limits to 65,535, the infrastructure is tuned for high-concurrency scraping and long-lived persistence across commodity cloud instances.

Static analysis of the KeyHunter binaries shows a specialized focus on online code sandboxes rather than code repositories like GitHub, using multiple extraction strategies per platform to survive UI and API changes.

The Go worker integrates uTLS to mimic real browser TLS fingerprints and leverages a headless-browser sidecar for JavaScript-heavy pages, indicating conscious effort to evade bot detection on services such as CodeSandbox and StackBlitz.

Captured regex patterns and optional gitleaks integration reveal broad credential coverage, from AWS, OpenAI, and Anthropic to Stripe, Slack, private keys, and database URLs.

Operationally, the operator’s OPSEC remains relatively weak: no effort to scrub logs, turn off history, or disguise the systemd unit name, and even a leaked Windows build path in a crashing Go binary.

Yet the combination of Langflow RCE, automated AWS reconnaissance, and NATS-as-C2 shows a small but technically capable crew that prioritizes scale over stealth leaning on cheap VPS nodes, multi-architecture workers, and resilient messaging over heavily hardened implants.

For defenders, this incident underscores the need to patch Langflow quickly, monitor AI and Bedrock usage anomalies, and start treating message brokers like NATS as potential C2 channels, not just backend plumbing.

Indicators of compromise

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.