CVE-2026-33017 (CVSS 9.8, EPSS 90th percentile) is a code injection vulnerability (CWE-94) in the Langflow AI agent framework that was actively exploited within 20 hours of public disclosure, underscoring the urgency of patching developer-deployed AI infrastructure. Specific affected version ranges and the confirmed patch version could not be independently verified from session-accessible sources and require human validation against the NVD entry and official Langflow GitHub releases before operational patching decisions are finalized. Organizations should isolate all internet-facing Langflow instances immediately and rotate all credentials and API keys accessible to or stored within Langflow pipeline configurations.