Langflow faces a critical unauthenticated remote code execution vulnerability (CVE-2026-33017, CVSS 9.8) that is actively exploited in the wild and listed in the CISA KEV catalog with a remediation deadline of April 8, 2026. Any publicly exposed Langflow instance should be taken offline immediately until patched; the flaw allows an attacker to execute arbitrary code with no valid credentials by abusing the flow-building interface. Organizations should prioritize containment and patching as an emergency response item and review authentication architecture for all AI pipeline tooling.