What happened
According to gbHackers, instances of Langflow that remain unpatched for CVE-2026-33017 are being exploited to exfiltrate cloud credentials and enlist compromised hosts in a NATS-backed worker pool called "KeyHunter." Per gbHackers, citing the Sysdig Threat Research Team, the flaw permits arbitrary Python execution without authentication, which the attacker used to dump process environment variables and directly extract AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
Technical details
Per gbHackers and Sysdig TRT, the actor probed multiple surfaces over roughly 10 hours before exploiting Langflow via its public flow API; gbHackers reports the successful exploitation occurred at 09:12 UTC and that the attacker immediately invoked sts:GetCallerIdentity to validate credentials. The reporting shows subsequent calls across AWS services, including Bedrock:InvokeModel and Bedrock:ListModelInvocationJobs, indicating attempts to run inference on premium models such as Claude and Llama 3. gbHackers also documents the use of a NATS endpoint at 45.192.109.25:14222, configured with authentication and subject-level ACLs, to coordinate harvested keys and worker nodes.
Editorial analysis - technical context
Tools that expose server-side code execution or public flow APIs present a high-risk path to secret exposure when environment variables or in-memory credentials are accessible. Companies and operators running orchestration layers or notebook-like interfaces often find that a single unauthenticated execution vector can lead to cloud credential compromise and lateral cloud abuse.
Context and significance
Industry observers track a repeating pattern where attackers pair credential harvesting with cloud service abuse to monetize access, either by running high-cost inference on third-party accounts or by exfiltrating data from S3 and other services. The appearance of the vulnerability on CISA's KEV list, as reported by gbHackers, increases its visibility for defenders and incident responders.
For practitioners
Monitor public-facing orchestration APIs for unusual requests, rotate and audit keys exposed to affected hosts, and watch for sts:GetCallerIdentity and unexpected Bedrock invocations in CloudTrail. Observers should also look for outbound connections to unfamiliar NATS endpoints and subject-level activity consistent with worker coordination.
Key Points
- 1Unpatched Langflow instances are being exploited to extract in-memory AWS credentials and validate them with sts:GetCallerIdentity.
- 2Attackers combine credential theft with cloud-service misuse, including attempts to run expensive inference on Bedrock and premium models.
- 3Operators should monitor for unusual outbound NATS connections and Bedrock API calls as indicators of KeyHunter-style campaigns.
Scoring Rationale
The exploit enables direct theft of AWS credentials and immediate cloud abuse, a notable operational risk for practitioners running orchestration tools. The story is timely and actionable, but it concerns a specific tool rather than a platform-wide paradigm shift.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems

