LIVE FEED
Langflow LLM Agents Exploited for Ransomware Delivery

Langflow LLM Agents Exploited for Ransomware Delivery

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 SecurityWeek

A documented ransomware attack leveraged agentic AI infrastructure — specifically the Langflow LLM orchestration platform — to automate multi-stage intrusion chains combining known exploitation techniques with real-time LLM reasoning. This marks a significant escalation in threat actor capability, demonstrating that agentic AI can serve as an autonomous attack coordinator rather than merely an assistant. Security teams running self-hosted AI orchestration platforms now face an expanded attack surface where the AI layer itself can be both the entry point and the execution engine.

CVE-2026-5027: Langflow RCE Actively Exploited

CVE-2026-5027: Langflow RCE Actively Exploited

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

A critical unpatched path traversal vulnerability (CVE-2026-5027, CVSS 8.8) in Langflow, a widely-used open-source AI application builder, is being actively exploited in the wild to achieve unauthenticated remote code execution. Because Langflow enables auto-login by default, attackers require no credentials to reach the vulnerable endpoint and can exploit it with a single HTTP request. With approximately 7,000 publicly exposed Langflow instances and nation-state actors already targeting related Langflow flaws, the risk to AI development infrastructure is severe.

CVE-2026-42208: LiteLLM SQL Injection Exposes API Keys

CVE-2026-42208: LiteLLM SQL Injection Exposes API Keys

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

A critical SQL injection vulnerability (CVE-2026-42208, CVSS 9.3) in BerriAI's LiteLLM AI gateway was actively exploited within 36 hours of public disclosure, targeting database tables storing upstream LLM provider API keys including OpenAI, Anthropic, and AWS Bedrock credentials. Attackers demonstrated prior knowledge of LiteLLM's internal schema, selectively probing credential and configuration tables while ignoring user and team tables. The blast radius extends far beyond a typical web-app SQL injection, as successful extraction equates to cloud-account-level compromise across multiple AI provider accounts.

CVE-2026-42208: LiteLLM SQL Injection Stealing AI Credentials

CVE-2026-42208: LiteLLM SQL Injection Stealing AI Credentials

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 BleepingComputer

A critical unauthenticated SQL injection vulnerability (CVE-2026-42208) in LiteLLM, a widely-used LLM proxy and SDK middleware, is being actively exploited to extract API keys, provider credentials, and configuration secrets from the proxy database. Exploitation began within 36 hours of public disclosure, with attackers demonstrating precise targeting of sensitive tables containing OpenAI, Anthropic, and Bedrock credentials. The stolen credentials could enable downstream attacks against AI infrastructure at scale, given LiteLLM's broad adoption across LLM application ecosystems.

CVE-2026-33626: LMDeploy SSRF Exploited in 13 Hours

CVE-2026-33626: LMDeploy SSRF Exploited in 13 Hours

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.2 The Hacker News

A critical SSRF vulnerability in LMDeploy (CVE-2026-33626), an open-source LLM deployment toolkit, was actively exploited within 13 hours of public disclosure, with attackers using the vision-language image loader to probe cloud metadata services, internal networks, and exfiltrate data. The attack pattern demonstrates that AI inference infrastructure is being weaponised at speed comparable to traditional CVE exploitation cycles, with no PoC required. This incident reinforces a broader trend of threat actors treating LLM-serving infrastructure as high-value lateral movement targets.

CVE-2025-59528: Flowise RCE Exploited Across 12,000 Instances

CVE-2025-59528: Flowise RCE Exploited Across 12,000 Instances

ATLAS OWASP CRITICAL Active exploitation · Immediate action required ▲ 9.4 The Hacker News

A maximum-severity (CVSS 10.0) remote code execution vulnerability in Flowise, a widely-used open-source AI agent builder, is under active exploitation with over 12,000 internet-exposed instances at risk. The flaw, CVE-2025-59528, exists in the CustomMCP node and allows unauthenticated JavaScript execution with full Node.js runtime privileges via unsanitised MCP server configuration input. This marks the third Flowise vulnerability exploited in the wild, underscoring systemic security gaps in AI orchestration and agent-building platforms.

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.