Three months from advisory to active abuse.
The CrowdSec Network is tracking active exploitation of CVE-2026-21445, a critical authentication bypass in Langflow, a fast-growing open-source tool for building and deploying AI agents and workflow automation. With 147,000 GitHub stars, Langflow is one of the most popular open-source projects in this category. CVEs hitting AI frameworks draw attention quickly, too. In this case, public exploit material was available online in early January; a public Nuclei template appeared on 30 March; CrowdSec shipped a detection rule on 1 April; and we observed the first in-the-wild exploitation on 9 April. The activity is still ongoing.
Key findings
- Public exploit material was available early: CVE-2026-21445 was published on 2 January 2026; a public PoC repository was already online by 4 January; the public Nuclei template was merged on 30 March; CrowdSec released a rule on 1 April; and exploitation was first seen on 9 April.
- Exploitation is active but selective: CrowdSec has observed 18 distinct attacking IPs between 9 April and 21 April, suggesting focused reconnaissance and testing rather than noisy internet-wide spraying.
- The exposed data is business-relevant, not just technical: Unauthenticated attackers can access user conversations and transaction histories and delete message sessions, creating both privacy and operational risks.
What is Langflow?
Langflow describes itself as a tool for building and deploying AI agents, workflows, and MCP servers through a visual interface. With 147,000 GitHub stars, it is one of the most popular open-source tools for teams building AI workflows. It is used by developers, platform teams, and internal innovation groups to connect models, prompts, tools, and business data without having to build every workflow from scratch.
Why it matters: When a vulnerability affects an AI workflow platform, the risk extends beyond a single web application. These systems often sit close to internal knowledge bases, user prompts, logs, transaction data, and downstream integrations. If an attacker can walk in without logging in, they may get a preview of how your internal AI workflows operate and what data they touch. Think less “bug in a dashboard” and more “unauthorized visitor wandering through the control room.”
How does CVE-2026-21445 work?
According to the GitHub security advisory, multiple critical Langflow API endpoints were missing authentication controls. That meant an unauthenticated user could query sensitive monitoring endpoints and access data that should be available only to authenticated users.
The publicly documented impact includes exposure of:
- user conversation history
- transaction history
- message session data that can be deleted without authorization
In practical terms, this is a classic case of missing authentication for a critical function. Vulnerable endpoints allowed outsiders to access internal application telemetry and user data without valid credentials. For teams using Langflow to prototype or run customer-facing AI workflows, this can mean privacy exposure, compliance headaches, and a cheap reconnaissance path for attackers who want to understand the system before moving forward.
The public record also tells a useful story for defenders. The CVE was published on 2 January, and public PoC material was already visible online by 4 January. But the operational tempo appears to have changed once broadly reusable scanning content became easier to reuse. A ProjectDiscovery Nuclei template was merged on 30 March, CrowdSec released detection coverage on 1 April, and live exploitation reached the CrowdSec network by 9 April.
Original advisory: GitHub security advisory for GHSA-c5cp-vx83-jhqx
Patch reference: Langflow fix commit
Detection reference: ProjectDiscovery Nuclei template
Reporter profiles: kj84park on GitHub and juh0ng on GitHub
Threat Landscape Analysis
AI framework CVEs attract attention quickly, and Langflow is no exception. The CrowdSec picture is still relatively selective, with 18 attacking IPs observed so far, but the timing matters more than the volume. Public PoC material was available online in early January, and once reusable scanning content landed on 30 March, the vulnerability resurfaced. CrowdSec released a rule on 1 April, and active exploitation was detected in our telemetry within 9 days.
How to protect your systems
- Patch: Upgrade Langflow immediately. The public advisory lists 1.7.1 as the patched release, while NVD notes that versions prior to 1.7.0.dev45 are affected. If you are running an exposed Langflow instance and there is any version uncertainty in your environment, move to the latest supported secure release rather than splitting hairs over the exact boundary.
- Preemptive blocking: If you cannot patch immediately, do not leave Langflow directly exposed to the internet. Restrict access behind a VPN, identity-aware proxy, or tightly scoped allowlist. Use the CrowdSec Security Engine to detect hostile behavior, and place the CrowdSec WAF in front of internet-facing applications to filter suspicious requests before they reach vulnerable endpoints. You can also review the latest intelligence in CrowdSec CTI.
Stay proactive: Audit any AI workflow or internal tooling platforms that expose monitoring, chat, or transaction endpoints. Review access controls for APIs that were originally built for convenience during development. Subscribe to CrowdSec Intelligence Blocklists to block aggressive sources automatically.