Langflow CVE‑2026‑33017 Exploited to Steal Cloud Keys and Build NATS Botnet

May 14, 2026 Faeem AWS, BLOGS 0

Overview A newly disclosed vulnerability in Langflow (CVE‑2026‑33017) is being actively exploited to steal AWS credentials and conscript victim systems into a NATS‑based worker botnet. This campaign demonstrates how exposed AI workflow tools can quickly become entry points for large‑scale credential theft and cloud abuse.

Vulnerability Details

  • CVE‑2026‑33017: Unauthenticated remote code execution flaw in Langflow.
  • Exploited via a public endpoint (/api/v1/build_public_tmp//flow) requiring no login.
  • Attackers can dump environment variables directly from the Langflow container.
  • Sensitive values like AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are exposed without phishing or social engineering.

Attack Chain

  1. Initial Exploit: Attacker runs commands in Langflow container, harvesting AWS keys.
  2. Credential Validation: Keys tested via sts:GetCallerIdentity API.
  3. Cloud Reconnaissance: Listing S3 buckets, EC2 instances, logging and identity services.
  4. LLM Abuse: Attempted “LLM jacking” by invoking AWS Bedrock models without payment.
  5. Worker Deployment:
    • Python script (keyhunter_worker.py) and Go binary (worker-linux-amd64) downloaded.
    • Workers scrape API keys from web content and cloud platforms (OpenAI, Anthropic, Hugging Face).
    • Installed as a systemd service under /opt/keyhunter-worker/, configured for persistence.

NATS Botnet Infrastructure

  • Command & Control (C2): NATS broker at 45.192.109.25:14222.
  • Workers subscribe to subjects like task.scan_web, task.validate_aws, task.validate_ai.
  • Results returned via JetStream pull consumers with explicit acknowledgements.
  • Attacker enforces least privilege by restricting worker subjects, reducing risk of worker compromise exposing operator traffic.

Defensive Guidance

  • Patch Langflow: Upgrade to versions fixing CVE‑2026‑33017.
  • Credential Rotation: Immediately rotate AWS, OpenAI, Anthropic, Hugging Face keys exposed in vulnerable environments.
  • Network Controls: Block outbound traffic to known staging and NATS hosts.
  • Egress Restrictions: Limit AI tooling to specific endpoints, not the open internet.
  • Detection: Monitor for:
    • Suspicious systemd service installs (/opt/keyhunter-worker/).
    • Outbound connections to NATS brokers.
    • AWS runtime anomalies (unexpected S3/EC2 queries).

Indicators of Compromise (IoCs)

  • NATS C2: 45.192.109.25:14222
  • Staging Server: 159.89.205.184:8888
  • File Hashes:
    • Go binary: dbee863ad2a39f939be2c7ed76f7d5a8fe000aad2d2b2d32b3e8ec3ee42f
    • Python worker: 323bbf3064d4b83df7920d752636b1acb36f462e58609a815bd8084d1e6
    • Installer script: 16b279aa018c64294d58280636e538f86e3dd9bdcb5734c203373394b7

Final Thought

This campaign underscores how AI workflow tools can become high‑value attack surfaces. By chaining unauthenticated RCE with credential harvesting and NATS‑based orchestration, attackers are building scalable, cloud‑aware botnets. For defenders, the lesson is clear: patch fast, rotate credentials, and monitor AI tooling like any other critical infrastructure.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.