Critical Path Traversal Flaw in Langflow Exploited, Immediate Upgrade Advised

Summary

Langflow, an open-source AI development platform with over 149,000 GitHub stars, is under active attack due to a high-severity path traversal vulnerability (CVE-2026-5027). This flaw allows attackers to write files to arbitrary locations on the filesystem by exploiting the 'POST /api/v2/files' endpoint. Tenable discovered this issue and disclosed it publicly in March 2026 after failing to receive a response from Langflow's team. The vulnerability was patched in version 1.9.0 of Langflow and version 0.8.3 of the langflow-base package. Despite these fixes, attackers are exploiting the flaw on unpatched instances.

What happened

The vulnerability arises because the 'POST /api/v2/files' endpoint does not properly sanitize the 'filename' parameter from multipart form data. This oversight allows an attacker to use path traversal sequences like '../' to navigate and write files to unintended directories on a server. The exploitation is particularly concerning due to Langflow's default setting that enables unauthenticated auto-login, requiring no credentials for reaching the vulnerable endpoint.

Technical details

The issue was first reported by Tenable in early 2026 but only publicly disclosed later that year after receiving no response from the Langflow team. Snyk Security confirmed a fix in subsequent versions of Langflow and its base package. According to security researcher Caitlin Condon, attackers have been observed exploiting this vulnerability on honeypots, indicating an ongoing threat.

Affected products and fixed versions

The flaw affects Langflow prior to version 1.9.0 and the langflow-base package before version 0.8.3. Users of these or earlier versions are at risk unless they upgrade immediately to the latest release, version 1.10.0, which addresses this vulnerability.

Exploitation status

Active exploitation is confirmed by detections on honeypots set up by security researchers. Censys scans have identified approximately 7,000 publicly exposed Langflow instances, though these numbers may not reflect current exposure accurately due to historical data inclusion.

Indicators of compromise

• Unusual file writes in directories that should be inaccessible.
• Unexpected server behavior or crashes following unauthenticated requests.
• Presence of arbitrary files on the server filesystem indicating unauthorized write access.

Detection opportunities

Security teams can monitor for unusual activity related to file uploads and accesses, particularly focusing on endpoints like 'POST /api/v2/files'. Implementing network monitoring tools that flag unexpected path traversal attempts could also help in early detection.

Timeline

• Early 2026: Tenable discovers the vulnerability.
• March 27, 2026: Public disclosure by Tenable after no response from Langflow.
• March 30, 2026: Snyk Security reports a fix in specific package versions.
• Ongoing: Active exploitation observed on vulnerable instances.

Why this matters for defenders

This vulnerability highlights the critical importance of timely patch management and monitoring for unusual server activities. Given the platform's popularity among AI developers, the potential impact is significant, affecting numerous projects and possibly leading to data breaches or system compromises.

What remains unclear

The exact number of affected systems currently in use remains uncertain due to historical scan data. Additionally, details on how widely the vulnerability has been exploited beyond honeypots are not fully known.

Defender guidance

• Upgrade immediately to Langflow version 1.10.0 or later.
• Implement network and application monitoring for unusual file access patterns.
• Review server logs regularly for unauthorized file write attempts.
• Disable unauthenticated auto-login if possible, until all instances are confirmed upgraded.