What happened
Langflow's file upload endpoint fails to sanitize the 'filename' parameter, allowing path traversal to write files to arbitrary locations. VulnCheck confirmed active in-the-wild exploitation on 2026-06-09. The Hacker News reported the exploitation on 2026-06-10. Despite a fix being available for 2+ months (since April 15), mass exploitation continues against unpatched deployments.
Why it matters
Langflow is a primary platform for building AI agents, RAG pipelines, and MCP-based workflows. Unauthenticated RCE grants attackers full code execution in the context of the Langflow process, exposing agent source code, API integrations, RAG vector store credentials, and tool definitions. An attacker can inject malicious agents or workflows into the platform.
Attack vector
Unauthenticated attacker sends POST request to /api/v2/files with unsanitized 'filename' parameter containing directory traversal sequences (../) to write files to arbitrary filesystem locations, achieving RCE through executable placement
Affected systems
Langflow versions prior to 1.9.0 (released 2026-04-15)
Mitigation
Update Langflow to version 1.9.0 or later; audit exposed instances for compromise evidence