---
title: "Langflow Flaw Exploited to Steal AWS Keys and Deploy Botnet"
date: 2026-05-14
author: "Sofia Ramirez"
featured_image: "https://sqmagazine.co.uk/wp-content/uploads/2026/05/langflow-flaw-exploited-to-steal-aws-keys.jpg"
categories:
  - name: "Cybersecurity"
    url: "/cybersecurity.md"
tags:
  - name: "News"
    url: "/tag/news.md"
---

# Langflow Flaw Exploited to Steal AWS Keys and Deploy Botnet

A newly exploited vulnerability in Langflow is being used by attackers to steal AWS credentials, abuse cloud services, and deploy a stealthy NATS based worker botnet across compromised systems.

## Quick Summary – TLDR:

- Attackers are exploiting CVE-2026-33017, a critical Langflow vulnerability tied to unauthenticated remote code execution.
- Stolen AWS keys are being used to access cloud resources, query AI services, and deploy botnet workers.
- Researchers linked the campaign to a NATS powered infrastructure called KeyHunter.
- Security experts warn that exposed AI workflow tools are becoming a major target for cloud credential theft.

## What Happened?

Security researchers have uncovered an active campaign targeting vulnerable **Langflow** instances exposed to the internet. The attacks exploit **CVE-2026-33017**, a recently disclosed flaw that allows attackers to execute Python code remotely without authentication.

According to reports from **Sysdig Threat Research Team** and coverage by **gbHackers**, attackers are abusing the vulnerability to extract sensitive environment variables, including active AWS access credentials, directly from compromised systems.

> CVE-2026-42048 Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API (DE… <https://t.co/XQIV9orQms>
> 
> — CVE (@CVEnew) [May 12, 2026](https://twitter.com/CVEnew/status/2054340979713282074?ref_src=twsrc%5Etfw)

 ## How the Langflow Exploit Works?

The vulnerability exists in a public Langflow API endpoint that can be accessed without login credentials. By sending specially crafted requests to the vulnerable endpoint, attackers can execute commands inside the Langflow container and dump environment variables stored by the application.

Researchers said the attackers specifically searched for credentials such as:

- **AWS\_ACCESS\_KEY\_ID**
- **AWS\_SECRET\_ACCESS\_KEY**
- **Session tokens and cloud authentication variables**

Once stolen, the credentials were immediately validated using the AWS **sts:GetCallerIdentity** API to confirm they were active.

The attackers then began cloud reconnaissance operations that included:

- **Listing S3 buckets**
- **Enumerating EC2 instances**
- **Querying IAM permissions**
- **Accessing AWS Bedrock services**
- **Checking Lambda and logging services**

Researchers observed attempts to interact with premium AI models through **AWS Bedrock**, suggesting the attackers may have been trying to run expensive AI workloads using stolen cloud accounts.

## KeyHunter Botnet Activity Emerges

One of the most concerning parts of the campaign is the deployment of a worker framework known as **KeyHunter**. The tooling appears designed to turn compromised systems into nodes within a larger credential harvesting network.

Researchers found that the attackers downloaded both **Python** and **Go** based worker payloads shortly after gaining access to vulnerable Langflow servers.

The malware connects to a NATS messaging server located at **45.192.109.25:14222**, where workers receive commands and return harvested data. Instead of using a traditional command and control panel, the attackers rely on **NATS**, a lightweight messaging platform commonly used in distributed applications.

The worker infrastructure reportedly supports tasks such as:

- **Validating AWS credentials.**
- **Testing [OpenAI and Anthropic](https://sqmagazine.co.uk/openai-vs-anthropic-statistics/) API keys.**
- **Scraping websites for exposed secrets.**
- **Collecting cloud development credentials.**
- **Coordinating worker activity through subject based channels.**

Researchers noted that the attackers even configured subject level permissions inside the NATS server to limit worker visibility and improve operational security.

## Attackers Attempted Container Escape

The investigation also revealed attempts to escalate access beyond the compromised Langflow container itself.

According to Sysdig researchers, the attackers attempted to use known [Linux](https://sqmagazine.co.uk/linux-statistics/) privilege escalation techniques including **DirtyPipe** and **DirtyCred**. These exploits are commonly used to break out of containers and gain deeper access to the host system.

Although some of the Go based payloads reportedly failed due to memory limitations, the attackers successfully continued operations using Python workers.

## Why AI Workflow Tools Are Becoming Targets?

The campaign highlights growing risks around internet exposed AI orchestration platforms like Langflow.

These tools often have deep access to:

- **Cloud environments**
- **AI APIs**
- **Databases**
- **Development pipelines**
- **Sensitive environment variables**

A single vulnerable endpoint can therefore expose an entire cloud environment to attackers. Security researchers warn that AI workflow platforms are increasingly attractive targets because they centralize access to multiple services and credentials.

The inclusion of **CVE-2026-33017** in the **CISA Known Exploited Vulnerabilities catalog** further signals the seriousness of the issue.

## Recommended Security Measures

Researchers recommend that organizations immediately update Langflow instances to patched versions and rotate any credentials that may have been exposed.

Additional recommendations include:

- **Restricting public access to Langflow APIs.**
- **Monitoring CloudTrail logs for unusual AWS activity.**
- **Blocking outbound connections to suspicious NATS servers.**
- **Applying least privilege IAM policies.**
- **Tightening egress filtering for AI infrastructure.**
- **Auditing exposed environment variables inside containers.**

Security teams are also advised to monitor for suspicious Bedrock activity and unexpected **sts:GetCallerIdentity** API calls, which may indicate credential validation attempts.

## SQ Magazine Takeaway

I think this incident is another warning sign that AI infrastructure is quickly becoming one of the biggest targets in [cloud security](https://sqmagazine.co.uk/cloud-computing-statistics/). Tools like Langflow make AI development easier, but they also concentrate massive amounts of access in one place. A single exposed endpoint was enough here to expose AWS accounts, AI services, and cloud resources in minutes.

What stands out most is how organized this operation looks. The attackers were not simply stealing credentials. They were building a scalable worker network designed for long term cloud abuse and AI resource hijacking. Companies deploying AI workflow platforms now need to treat them with the same security priority as production cloud infrastructure.