exhibit-ai

Exhibit A(I): If you self-host Langflow, update now. CVE-2026-33017 is unauthenticated RCE exploited in 20 hours. Attackers harvested API keys from live instances.

If you self-host Langflow, immediate updates are crucial.

If you self-host Langflow, immediate updates are crucial. Recently, a remote code execution vulnerability, CVE-2026-33017, was exploited within 20 hours of discovery.

Several instances had their API keys harvested because of this vulnerability. Langflow's public flow endpoint, which passes user-supplied Python directly to exec() without sandboxing, is at the core of the issue.

What to do this week

Update Langflow: Ensure all instances are updated to the latest patched release to prevent exploitation.
Audit Access Logs: Check your logs for unusual activity or API key access that might indicate a breach.
Review API Key Usage: Rotate any API keys that might have been exposed.
Secure the Endpoint: Consider additional layer of security to prevent direct execution of untrusted code.

Sources

Explain This: Stop Building AI Security Reading Lists and Start Building Decision Lists

Most AI security source lists fail because they optimize for volume, not decisions. Good intake maps each source to a decision, an owner, and a trigger.

Explain This: AI Security News Needs Buckets Before It Needs More Sources

Most teams do not need more AI security news. They need a simple way to sort product risk, supply chain risk, fraud, and governance signal before reacting.

Explain This: AI security intake needs an evidence ladder, not a feed

If your team is triaging AI security from a social feed, you need an evidence ladder before noise hardens into policy.

What to do this week

Sources

Read next