The US Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities catalog:
- CVE-2026-33017, a recently disclosed code injection vulnerability in Langflow, an open-source framework for building AI agents and workflows, and
- CVE-2026-33634, an embedded malicious code vulnerability in Aqua Security’s Trivy security scanner.
Their addition to the catalog means that US federal civilian agencies are required to address the flaws within their networks by April 8 and 9, respectively.
About CVE-2026-33017
CVE-2026-33017 is a critical vulnerability stemming from several security weaknesses and affects Langflow versions 1.8.2. and earlier. It may allow unauthenticated attackers to remotely execute code on a Langflow instance via a public flow build endpoint.
A very detailed security advisory for CVE-2026-33017 was made broadly visible on GitHub on March 17, 2026, and apparently had enough information for attackers to develop an exploit and start using it.
“Within 20 hours of the advisory’s publication, the Sysdig Threat Research Team (TRT) observed the first exploitation attempts in the wild,” the cloud security company shared.
“No public proof-of-concept (PoC) code existed at the time. Attackers built working exploits directly from the advisory description and began scanning the internet for vulnerable instances. Exfiltrated information included keys and credentials, which provided access to connected databases and potential software supply chain compromise.”
The occurrence serves as another confirmation of the shrinking window between “advisory publication” and “active exploitation”, Sysdig researchers noted.
“The collapse from months-long exploitation timelines to same-day weaponization is a structural shift in how vulnerabilities are exploited today. Organizations that rely on scheduled patch cycles to address critical vulnerabilities are operating on a timeline that attackers have already outpaced. Runtime detection, network segmentation, and rapid response capabilities are essential to bridging the gap between disclosure and remediation.”
It should be pointed out that Aviral Srivastava, the discoverer of CVE-2026-33017, unearthed the flaw while checking out how Langflow maintainers fixed CVE-2025–3248, a previously exploited vulnerability in the same code base.
This allowed him to pinpoint the same class of vulnerability, but on a different endpoint. It’s therefore also possible (though less likely) that attackers followed a similar approach.
About CVE-2026-33634
The CVE-2026-33634 identifier has been assigned to allow security teams to follow the ramifications of the Trivy supply chain compromise.
This compromise, which has been attributed to TeamPCP, happened on March 19, 2026, and allowed attackers to:
- Publish a malicious Trivy v0.69.4 release
- Force-push version tags in ‘aquasecurity/trivy-action’ to credential-stealing malware
- Replace all tags in ‘aquasecurity/setup-trivy’ with malicious commits
- Push out malicious trivy images on Docker Hub.
It also likely led to the LiteLLM supply chain attack, which resulted in compromised LiteLLM packages being published on PyPI.
Aqua Security outlined the incident and advised on recommended action for those that have been affected, and is expected to provide a meaningful update on their investigation in the coming days.
BerriAI, the creators of LiteLLM, have paused the release of new LiteLLM packages, and they’ve called in Mandiant to do a complete supply chain security review. According to Wiz researchers, LiteLLM is present in 36% of cloud environments they monitor, “signifying the potential for widespread impact.”
Both organizations have provided remediation instructions for affected users and developers.
In a public alert, the German Federal Office for Information Security (BSI) said that a number of compromises were reported them in the wake of and related to the Trivy attack. “According to current information, no data is believed to have been exfiltrated,” they said.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
Facts Only
CISA added CVE-2026-33017 and CVE-2026-33634 to its Known Exploited Vulnerabilities catalog.
CVE-2026-33017 is a code injection vulnerability in Langflow versions 1.8.2 and earlier.
The Langflow flaw allows unauthenticated remote code execution via a public flow build endpoint.
A security advisory for CVE-2026-33017 was published on GitHub on March 17, 2026.
Exploitation attempts were observed within 20 hours of the advisory’s release.
Attackers used the advisory to develop exploits without a public proof-of-concept.
Exfiltrated data included keys and credentials for connected databases.
CVE-2026-33634 involves a supply chain compromise of Aqua Security’s Trivy scanner.
The Trivy compromise occurred on March 19, 2026, and was attributed to TeamPCP.
Malicious actions included publishing Trivy v0.69.4, force-pushing tags, and replacing commits in repositories.
Malicious Trivy images were pushed to Docker Hub.
The Trivy compromise led to a downstream attack on LiteLLM packages on PyPI.
LiteLLM is present in 36% of cloud environments monitored by Wiz.
BerriAI paused new LiteLLM releases and engaged Mandiant for a supply chain review.
The German BSI reported compromises related to the Trivy attack but no confirmed data exfiltration.
Federal agencies must address CVE-2026-33017 by April 8, 2026, and CVE-2026-33634 by April 9, 2026.
Executive Summary
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities to its Known Exploited Vulnerabilities catalog, requiring federal agencies to address them by early April 2026. The first, CVE-2026-33017, is a code injection flaw in Langflow, an open-source AI framework, affecting versions 1.8.2 and earlier. Exploits emerged within 20 hours of its public disclosure on March 17, 2026, with attackers leveraging the advisory to target vulnerable instances and exfiltrate credentials. The second, CVE-2026-33634, involves a supply chain compromise of Aqua Security’s Trivy scanner, where malicious code was embedded in releases, Docker images, and GitHub repositories. This incident also triggered a downstream attack on LiteLLM, a widely used package present in 36% of monitored cloud environments. Both Aqua Security and BerriAI have issued remediation guidance, while the German BSI reported related compromises but no confirmed data exfiltration. The rapid exploitation timeline underscores the shrinking window between vulnerability disclosure and active attacks, challenging traditional patch management strategies.
The Langflow vulnerability was discovered by Aviral Srivastava, who identified it while reviewing fixes for a prior flaw in the same codebase. The Trivy compromise, attributed to TeamPCP, involved multiple attack vectors, including malicious releases and credential-stealing malware. Organizations are now grappling with the fallout, with some pausing releases and conducting supply chain reviews. The incidents highlight the interconnected risks in open-source ecosystems and the need for runtime detection and rapid response capabilities.
Full Take
The strongest version of this narrative highlights a critical shift in cybersecurity: the collapse of the exploitation timeline from months to hours. The rapid weaponization of CVE-2026-33017, even without a public PoC, demonstrates how adversaries now operate at the speed of disclosure. This aligns with a broader pattern of supply chain attacks, where trust in open-source ecosystems is exploited to maximize impact—evident in the Trivy compromise cascading into LiteLLM. The narrative rightly emphasizes the inadequacy of traditional patch cycles and the need for runtime defenses, a principled call to adapt to an evolving threat landscape.
Yet, the framing risks subtle emotional exploitation (ARC-0012 Fear Appeals) by implying an existential urgency without contextualizing mitigation strategies already in place. The focus on federal deadlines and high-profile breaches could amplify a sense of helplessness, obscuring the fact that many organizations already deploy segmentation and detection tools. The attribution to TeamPCP is presented as fact, but supply chain investigations often reveal more nuanced threat actor behavior—this certainty may prematurely close inquiry.
Root cause: The paradigm here is the tension between innovation and security in open-source ecosystems. The assumption that disclosure equals immediate risk ignores the role of defensive maturity. Historically, this echoes the 2020 SolarWinds attack, where supply chain trust was weaponized, but the response then was more measured. Today’s narrative leans into urgency, possibly to justify expanded cybersecurity budgets or policy mandates.
Implications: Human agency is both undermined and empowered. Developers face heightened scrutiny, while security teams gain leverage for resource allocation. The second-order cost is potential overcorrection—organizations may restrict open-source adoption, stifling innovation. The beneficiaries are security vendors and consultants; the burden falls on maintainers and users of compromised tools.
Bridge questions: How might the open-source community balance transparency with risk mitigation without stifling collaboration? What evidence would change the assessment that exploitation timelines are structurally collapsing? Are there alternative models for vulnerability disclosure that could slow adversary weaponization?
Counterstrike scan: A coordinated influence campaign would amplify fear to drive policy changes or vendor adoption, using selective attribution (e.g., TeamPCP) to create a boogeyman. The actual content aligns with this pattern but stops short of overt manipulation—it presents facts with urgency but doesn’t fabricate threats. The call for runtime detection is constructive, not predatory. No structural alignment with a disinformation playbook is detected.
Patterns detected: ARC-0012 Fear Appeals (subtle), ARC-0031 Urgency Framing