Langflow CVE-2026-5027 Path Traversal to Unauthenticated RCE

CVE-2026-5027, a CVSS 8.8 path traversal vulnerability in Langflow's file upload endpoint, allows unauthenticated attackers to write arbitrary files due to improper filename validation. The vulnerability was patched on April 15, 2026, but active exploitation began in June 2026 (~two months later), with VulnCheck confirming in-the-wild attacks on June 8-9. Approximately 7,000 Langflow instances remain publicly exposed and unpatched.

Langflow is a widely deployed low-code platform for building AI agents, RAG pipelines, and MCP workflows. Default auto-login configuration means vulnerable instances require zero credentials for exploitation. A single unauthenticated POST request can drop arbitrary files—including cron jobs, shell initialization scripts, or application code—leading to full system compromise. Unpatched instances have been sitting in the open for 2+ months post-patch release, indicating slow patch adoption in the AI ecosystem.

Unauthenticated attacker sends POST request to /api/v2/files endpoint with crafted filename parameter containing path traversal sequences (../) and arbitrary payload; Langflow's auto-login by default allows immediate access; attacker writes files to arbitrary locations (e.g., /etc/cron.d/, application directories), escalating to RCE on next cron execution or application reload

Langflow ≤ 1.8.4; fixed in 1.9.0 (released April 15, 2026)

Upgrade to Langflow 1.9.0 or later immediately; disable auto-login by default; restrict network access to Langflow instances; validate and sanitize filename parameters