CVE-2026-33017 is an unauthenticated remote code execution vulnerability in Langflow with a CVSS score of 9.8 and confirmed CISA KEV status; exploitation began within approximately 20 hours of public disclosure. Any internet-exposed Langflow API instance is at immediate risk of full system compromise and lateral movement into connected AI pipeline infrastructure. Containment (block port 7860/TCP, restrict API access) should precede patching given active exploitation; verify the fixed version against the official Langflow GitHub releases page and NVD before deployment as a confirmed patch version was not available from authoritative sources at report time.