Langflow Exploited to Steal AWS Keys and Deploy NATS Worker
According to gbHackers, instances of Langflow left unpatched for CVE-2026-33017 are being actively abused to steal AWS credentials and deploy a NATS-backed worker pool dubbed "KeyHunter." Per gbHackers, which cites the Sysdig Threat Research Team, the vulnerability allows arbitrary Python execution without authentication, enabling attackers to dump process environment variables and directly extract AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. gbHackers reports the attacker validated stolen credentials via sts:GetCallerIdentity and used them to query AWS services including Bedrock, S3, EC2, Lambda, and IAM. The report adds that the operator used a hardened NATS server at 45.192.109.25:14222 with subject-level ACLs to coordinate worker nodes. gbHackers also notes the vulnerability is listed in CISA's KEV catalog.
What happened
According to gbHackers, instances of Langflow that remain unpatched for CVE-2026-33017 are being exploited to exfiltrate cloud credentials and enlist compromised hosts in a NATS-backed worker pool called "KeyHunter." Per gbHackers, citing the Sysdig Threat Research Team, the flaw permits arbitrary Python execution without authentication, which the attacker used to dump process environment variables and directly extract AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
Technical details
Per gbHackers and Sysdig TRT, the actor probed multiple surfaces over roughly 10 hours before exploiting Langflow via its public flow API; gbHackers reports the successful exploitation occurred at 09:12 UTC and that the attacker immediately invoked sts:GetCallerIdentity to validate credentials. The reporting shows subsequent calls across AWS services, including Bedrock:InvokeModel and Bedrock:ListModelInvocationJobs, indicating attempts to run inference on premium models such as Claude and Llama 3. gbHackers also documents the use of a NATS endpoint at 45.192.109.25:14222, configured with authentication and subject-level ACLs, to coordinate harvested keys and worker nodes.
Editorial analysis - technical context
Tools that expose server-side code execution or public flow APIs present a high-risk path to secret exposure when environment variables or in-memory credentials are accessible. Companies and operators running orchestration layers or notebook-like interfaces often find that a single unauthenticated execution vector can lead to cloud credential compromise and lateral cloud abuse.
Context and significance
Industry observers track a repeating pattern where attackers pair credential harvesting with cloud service abuse to monetize access, either by running high-cost inference on third-party accounts or by exfiltrating data from S3 and other services. The appearance of the vulnerability on CISA's KEV list, as reported by gbHackers, increases its visibility for defenders and incident responders.
For practitioners
Monitor public-facing orchestration APIs for unusual requests, rotate and audit keys exposed to affected hosts, and watch for sts:GetCallerIdentity and unexpected Bedrock invocations in CloudTrail. Observers should also look for outbound connections to unfamiliar NATS endpoints and subject-level activity consistent with worker coordination.
Scoring Rationale
The exploit enables direct theft of AWS credentials and immediate cloud abuse, a notable operational risk for practitioners running orchestration tools. The story is timely and actionable, but it concerns a specific tool rather than a platform-wide paradigm shift.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
