Path traversal flaw in Langflow exploited in the wild

At a glance:

• CVE-2026-5027 lets attackers write arbitrary files via the POST /api/v2/files endpoint in Langflow
• Roughly 7,000 publicly exposed Langflow instances have been identified, many vulnerable to unauthenticated exploitation
• Users should upgrade to Langflow 1.10.0 (or at least 1.9.0 / langflow-base 0.8.3) to remediate the issue

What happened

Attackers have begun actively exploiting CVE-2026-5027, a high‑severity path traversal vulnerability in the open‑source AI development platform Langflow. The flaw resides in the platform’s file‑upload endpoint (POST /api/v2/files) which fails to sanitise the filename parameter supplied in multipart form data. By injecting ../ sequences, an attacker can write files to arbitrary locations on the server’s filesystem.

The vulnerability was discovered by Tenable at the start of 2026 and publicly disclosed on March 27, 2026 after the Langflow maintainers did not respond to the initial report. Tenable’s advisory highlighted that the endpoint does not require authentication because Langflow enables unauthenticated auto‑login by default, allowing a single unauthenticated request to obtain a valid session token and then write files.

How the exploit works

Caitlin Condon of VulnCheck detailed the attack chain on LinkedIn. First, the attacker sends a crafted multipart request to /api/v2/files with a malicious filename such as ../../../../etc/passwd. Because the platform does not strip path‑traversal characters, the server writes the supplied payload to the targeted location. The attacker can then drop test files, web shells, or other malicious code onto the compromised host.

Censys scans have identified roughly 7,000 publicly exposed Langflow instances over the past 12 months. While this figure includes historical data and may overstate the current exposure, it underscores the broad attack surface presented by default unauthenticated access.

Impact and response timeline

• Discovery & disclosure – Tenable reported the issue early 2026; public advisory on 27 Mar 2026.
• Patch releases – Snyk Security reported a fix in the langflow-base package version 0.8.3 on 30 Mar 2026, and a patch to the Langflow application itself in version 1.9.0. The project released version 1.10.0 on the day of this report, incorporating the latest mitigations.
• Related activity – Exploitation follows earlier attacks on Langflow vulnerabilities CVE‑2026‑0770, CVE‑2026‑21445, and CVE‑2026‑33017. In 2025, CISA warned about active exploitation of CVE‑2025‑3248, with links to the Iranian MuddyWater threat group.

Recommendations for users

1. Upgrade immediately to Langflow 1.10.0 (or at minimum 1.9.0) and ensure the langflow-base package is at 0.8.3 or newer.
2. Disable unauthenticated auto‑login in the configuration to require valid credentials before any API access.
3. Audit file‑upload endpoints for proper filename sanitisation and restrict filesystem write permissions.
4. Monitor for suspicious file writes in typical Langflow directories and employ integrity‑checking tools.
5. Run regular external scans (e.g., Censys, Shodan) to verify that no unintended Langflow instances are publicly reachable.

Looking ahead

The rapid emergence of multiple Langflow‑related CVEs suggests that the platform’s rapid development cycle may be outpacing its security hardening. Security researchers recommend that the Langflow community adopt a more rigorous secure‑development lifecycle, including automated static analysis of file‑handling code and mandatory code‑review gates for third‑party contributions. As AI‑centric tooling proliferates, similar supply‑chain risks are likely to surface across other visual development environments.

The article originally referenced a Picus whitepaper on breach‑and‑attack simulation; readers interested in hardening their detection stack may find it useful.