Critical Langflow Flaw CVE-2026-33017 Triggers Attacks Within 20 Hours of Disclosure
A critical security flaw in Langflow — the popular open-source AI workflow platform used to build and deploy AI agent pipelines in thousands of enterprise environments — came under active exploitation within 20 hours of its public disclosure, with no proof-of-concept code even available at the time attackers began scanning for vulnerable instances. CVE-2026-33017 (CVSS 9.3) stems from a missing authentication check in the /api/v1/build_public_tmp/{flow_id}/flow endpoint, which is intentionally unauthenticated to serve public AI flows; when an attacker supplies a malicious data parameter containing arbitrary Python code in the node definitions, that code is passed directly to exec() with zero sandboxing, resulting in immediate remote code execution — a one-HTTP-request exploit that security researcher Aviral Srivastava described as “extremely easy” to trigger. Censys found 1,156 exposed Langflow servers at the time of disclosure, with 360 confirmed to be running a vulnerable version; operators should update to the latest patched release, audit all environment variables and secrets, rotate every stored credential, restrict Langflow instances behind a reverse proxy or firewall, and monitor for unexpected outbound connections to callback services.
Crunchyroll Probes Breach After Hacker Claims to Steal 6.8M Users’ Data
A threat actor contacted BleepingComputer claiming to have breached Crunchyroll on March 12 by compromising the Okta SSO account of a support agent employed by Telus Digital — the same Canadian BPO giant that separately confirmed a massive ShinyHunters-linked breach — and using that access to download roughly 8 million support ticket records from Crunchyroll’s Zendesk instance, representing 6.8 million unique customer email addresses along with names, login names, IP addresses, geographic locations, and the full contents of support tickets. Crunchyroll confirmed the incident in a statement to BleepingComputer, saying the data appears limited to customer service ticket data and that no evidence of ongoing system access was found, though the hacker claimed to have demanded a $5 million ransom that went unanswered. The breach is the latest example of business process outsourcing companies serving as a single point of compromise for multiple downstream organizations — one compromised BPO employee’s SSO account was enough to reach Crunchyroll’s entire customer support data estate, and organizations that outsource customer support should be auditing their BPO partners’ access controls, SSO configurations, and data minimization practices as urgently as they would their own. (Note: BleepingComputer blocks automated fetches but is fully accessible in-browser.)
Hacker Walks Away With $24.5 Million After Breaching Resolv DeFi Platform
A hacker exploited a flash loan vulnerability in Resolv, a decentralized finance stablecoin protocol, to drain approximately $24.5 million from the platform’s liquidity pools, triggering a 70% collapse in the price of Resolv’s native RLP token before the attacker exited with an estimated $24.5 million in profit across multiple wallets — Cybernews estimated the actual profit closer to $25 million after accounting for gas costs and routing fees. Resolv acknowledged the exploit and said it is working with blockchain security firm Chainalysis to trace the funds, while temporarily suspending deposits and withdrawals; the platform had been audited multiple times by leading smart contract security firms prior to the attack. The incident adds to a string of DeFi exploits in early 2026, following the Step Finance $40 million treasury theft in January, and reinforces that even repeatedly audited DeFi protocols remain highly susceptible to complex economic attacks that exploit interactions between legitimate protocol mechanics rather than simple code bugs — a class of vulnerability that traditional smart contract audits frequently miss.
Oracle Releases Emergency Patch for Critical Identity Manager Vulnerability
Oracle issued an out-of-band emergency patch on March 23 for CVE-2026-21992 (CVSS 9.8), a critical unauthenticated remote code execution vulnerability affecting Oracle Identity Manager and Oracle Web Services Manager — both part of the Oracle Fusion Middleware suite — that allows an unauthenticated attacker with HTTP network access to fully compromise both products, potentially resulting in complete system takeover. Oracle’s advisory notes the vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0 of both products and describes it as “easily exploitable,” and while Oracle has not clearly stated whether the flaw has been actively exploited, the decision to release an emergency out-of-band patch outside of the regular quarterly Critical Patch Update cycle is itself a strong signal of urgency that security teams should treat as a de facto exploitation indicator. Oracle Identity Manager is widely deployed in enterprise environments as a core identity governance and access provisioning platform, meaning successful exploitation could give attackers the ability to create or modify privileged accounts, harvest credentials, and move laterally through any environment that relies on OIM for IAM operations. (Note: SecurityWeek blocks automated fetches but is fully accessible in-browser.)
Experts Insist Trump Administration’s Cyber Strategy Is Already Paying Off
At RSAC 2026 in San Francisco on Monday, a panel of representatives from major cybersecurity vendors, consulting firms, venture capital, and a law firm made an affirmative case that the Trump administration’s two-week-old national cyber strategy is already producing tangible results — pointing specifically to the U.S. seizure of Handala’s psychological operations domains days after the strategy’s release, the botnet disruption operation targeting Aisuru, KimWolf, JackSkid, and Mossad announced last week, and the Resolv-adjacent Lazarus Group cryptocurrency sanctions as early evidence that the strategy’s “impose costs” framing is more than rhetoric. The discussion reflected a notable dynamic at RSAC this year: the federal government was largely absent from the conference floor, with no CISA Director, no National Cyber Director, and no senior Pentagon cyber officials participating in official programming — a departure from recent years that several attendees described as reflecting both the Trump administration’s skepticism of the security industry’s traditional D.C. conference circuit and ongoing vacancies across government cyber leadership positions. Panelists cautioned that the hardest test of the strategy will be whether the promised interagency operational cell — designed to pair offensive cyber operations with arrests, sanctions, and diplomatic pressure in a coordinated sequence — actually materializes as a durable institution or fades into the same inter-agency coordination gaps that have undermined similar efforts in past administrations.
The post InfoSec News Nuggets 03/24/2026 appeared first on AboutDFIR – The Definitive Compendium Project.
