What happened
Langflow's file-upload handler accepted filenames like '../../app.py' and wrote files to arbitrary locations. This allowed unauthenticated attackers to write Python files into the application directory and execute them. A fix was available in February 2026, but many instances remained unpatched. By June 2026, active exploitation was confirmed across thousands of instances.
Why it matters
Langflow instances hold API keys for OpenAI, Anthropic, and other LLM providers, plus database credentials and customer data. RCE on a Langflow instance gives attackers access to the entire RAG/agent pipeline, including vector databases, model credentials, and customer-facing agents.
Attack vector
The file-upload endpoint fails to sanitize the 'filename' parameter in multipart form data. An attacker can use path traversal sequences (../) to write arbitrary files to locations outside the intended upload directory, including Python files in the application directory. By uploading a .py file with malicious code and then accessing it via the HTTP server, the attacker achieves RCE.
Affected systems
Langflow 1.8.4 and earlier; the POST /api/v2/files file-upload endpoint
Mitigation
Upgrade Langflow to a version after 1.8.4. Implement strict input validation and restrict file write locations. Apply WAF rules to block path traversal payloads.