What happened
Langflow's file-upload endpoint fails to sanitize the 'filename' parameter, allowing attackers to write files to arbitrary filesystem locations. Default auto-login feature eliminates authentication requirement. Arbitrary file write can be escalated to RCE via configuration/startup file overwrites.
Why it matters
Langflow is a low-code platform for building AI agents and RAG pipelines and sits at the core of many AI orchestration deployments. RCE as unauthenticated user exposes all connected API keys, vector DB credentials, and model endpoints. Active exploitation confirmed by VulnCheck on 2026-06-09; third Langflow RCE this year.
Attack vector
POST /api/v2/files endpoint with path traversal sequences (../) in unsanitized 'filename' parameter; combined with auto-login default behavior allows unauthenticated RCE via cron/startup file injection
Affected systems
Langflow ≤ 1.8.4 (fixed in 1.9.0, released 2026-04-15)
Mitigation
Upgrade to Langflow 1.9.0 or later; disable auto-login; restrict network access via VPN/reverse proxy; disable write permissions where possible