CVE-2026-33017 is a CVSS 9.8 unauthenticated RCE in Langflow exploiting unrestricted use of Python’s exec() function, with confirmed active exploitation reported within 20 hours of public disclosure — indicating automated attacker tooling is already operational. Any internet-exposed Langflow instance should be treated as potentially compromised until patched or isolated; specific affected version ranges are not confirmed and must be validated against official Langflow release notes and the NVD entry before scoping remediation. Organizations should immediately restrict or take offline unpatched instances and hunt for exec()-driven process spawning and unexpected outbound connections from Langflow hosts.