CVE-2026-5027: Langflow Path Traversal to Unauthenticated RCE

Key Takeaways

• CVE-2026-5027 is a high-severity path traversal vulnerability (CVSS 8.8) in Langflow’s file upload API that allows unauthenticated attackers to write files to arbitrary filesystem locations on the host server.
• When combined with Langflow’s default auto-login configuration, the flaw requires no credentials, enabling remote code execution through cron job injection, SSH authorized_keys overwriting, or webshell placement.
• Approximately 7,000 Langflow instances are publicly exposed on the internet, with the majority concentrated in North America, per Censys data [1]. VulnCheck honeypots have confirmed active exploitation writing test files to vulnerable systems [2].
• CVE-2026-5027 is the latest in a pattern of high-severity Langflow vulnerabilities throughout 2026, each exploited rapidly by financially motivated actors and, in at least one case, by an Iranian state-sponsored group.
• A patch is available in Langflow version 1.9.0 and later; the current release as of June 10, 2026 is version 1.10.0. Organizations running any version through 1.8.4 should treat this as a critical emergency upgrade.

Background

Langflow is an open-source, low-code platform for building, testing, and deploying AI-powered agents and workflows. With more than 150,000 stars on GitHub and an enterprise distribution supported by IBM, Langflow is among the more prominent visual workflow builders in the AI development ecosystem [3]. The platform provides a drag-and-drop interface for connecting large language models, vector databases, custom Python components, and external APIs into production agentic pipelines. Its approachability for non-specialists and its support for multi-agent architectures have made it a popular choice in organizations ranging from startups to large enterprises.

Because Langflow sits at the intersection of code execution, external API access, and enterprise data, it presents a broader attack surface than a typical web application, making it a particularly high-value target. A compromise of a Langflow deployment is not merely a server intrusion: it can expose LLM API keys, vector database credentials, retrieval-augmented generation (RAG) document stores, and the logic of proprietary AI workflows. These are assets that underpin downstream business processes, customer-facing AI products, and—in increasingly common deployments—autonomous agents with write access to other systems.

Langflow has accumulated a significant series of high-severity vulnerabilities in 2026 alone. Earlier in the year, CVE-2026-33017, rated CVSS 9.3 [4][12], enabled unauthenticated RCE via a public flow-build endpoint; exploitation began within 20 hours of public disclosure, and subsequent analysis revealed that initial patch versions failed to fully remediate the flaw before a complete fix was delivered [4][11]. CVE-2026-21445, an authentication bypass, allowed attackers to access AI workflows and user data without credentials [5]. CVE-2025-34291 was weaponized by MuddyWater, an Iranian state-sponsored threat actor [6]. CVE-2026-5027 arrives in this context: not as an isolated software defect, but as the latest entry in an actively targeted attack surface that adversaries have demonstrated repeated capability and intent to exploit.

Security Analysis

Vulnerability Mechanics

CVE-2026-5027 resides in the POST /api/v2/files endpoint, which handles user-initiated file uploads in Langflow version 1.8.4 and earlier. The root cause is a failure to sanitize the filename parameter extracted from multipart form data before it is used to construct a filesystem path. In the affected code, upload_user_file() in src/backend/base/langflow/api/v2/files.py passes file.filename directly to the storage service. The LocalStorageService.save_file() function then constructs the destination path by joining a base folder path with the caller-supplied filename, which permits directory traversal sequences such as ../ to escape the intended upload directory and write to arbitrary locations on the host filesystem [1][2].

The compounding factor is Langflow’s default configuration. The platform ships with auto-login enabled, meaning the application does not require authentication to operate when no user accounts have been explicitly configured—a common state in development and testing environments, and reportedly in some production deployments as well. Because a valid session token can be obtained with a single unauthenticated HTTP request, an attacker can reach the vulnerable file upload endpoint without possessing any credentials whatsoever [1].

The practical exploitation chain requires no specialized skill beyond basic HTTP request crafting. An unauthenticated attacker sends a crafted POST /api/v2/files request, specifying a filename such as ../../../../etc/cron.d/backdoor and a body containing a cron job entry that executes arbitrary shell commands. In configurations where Langflow runs as root—which is common in containerized deployments that do not specify an explicit non-privileged user—the cron job executes with full system privileges. Alternative RCE paths include writing attacker-controlled SSH public keys to /root/.ssh/authorized_keys or placing webshells in web-accessible directories [1][2].

Exploitation Activity

Tenable Research, which discovered the vulnerability and assigned it advisory TRA-2026-26, attempted responsible disclosure in January and February 2026 through three separate contact attempts before publishing details on March 27, 2026 [1]. Despite this disclosure, a patch was not immediately available, and the vulnerability remained exploitable on all Langflow instances running version 1.8.4 or earlier that had not applied the patch—including the approximately 7,000 publicly accessible instances identified by Censys [1]. CISA has documented the confirmed exploitation of Langflow vulnerabilities through its Known Exploited Vulnerabilities catalog, reflecting the platform’s status as an actively targeted attack surface [10].

VulnCheck security researcher Caitlin Condon reported that the firm’s honeypot infrastructure began detecting active exploitation attempts shortly after public disclosure, with attackers writing test files to vulnerable systems—a reconnaissance and beachhead-establishment technique that precedes follow-on persistence or data exfiltration [2]. Censys internet scanning data identifies approximately 7,000 Langflow instances with public internet exposure, the majority in North America [1]. These are instances reachable by any unauthenticated attacker on the internet, with no network barrier between the advisory’s publication and active attack.

The threat actor profile targeting Langflow has broadened over the course of 2026. While initial exploitation of earlier CVEs appeared financially motivated—with Sysdig observing credential theft targeting connected database keys within 48 hours of CVE-2026-33017 disclosure—the involvement of MuddyWater in CVE-2025-34291 exploitation signals that nation-state actors now view AI development platforms as strategic targets [4][6]. The sustained cadence of Langflow CVEs and the speed with which each has been weaponized indicates that the platform is under active threat intelligence surveillance by multiple adversary groups.

Scope of Impact

The blast radius of a successful CVE-2026-5027 exploitation extends well beyond the compromised server. Many Langflow deployments hold LLM API keys for providers such as OpenAI, Anthropic, and Google (in configurations using hosted commercial models), which can be stolen and used to run up fraudulent inference costs or to query proprietary models. Connected vector databases may contain sensitive enterprise documents, customer records, or internal knowledge bases ingested as RAG corpora. In multi-agent architectures, a compromised Langflow node can serve as a pivot point to downstream agents, APIs, and business systems that trust the Langflow service. Organizations that have integrated Langflow into CI/CD pipelines or granted it write access to production data stores face particularly severe secondary exposure.

The risk is further amplified by deployment patterns common in AI development organizations. Available evidence—including the large number of internet-exposed instances and the prevalence of default auto-login configurations documented in this advisory—suggests that security hardening of Langflow deployments often lags behind deployment pace. The platform is frequently deployed rapidly, in cloud virtual machines, on Kubernetes clusters, or via Docker Compose, by teams whose primary focus is on AI engineering rather than security operations. These conditions create an environment where exploitation may succeed and persist undetected.

Recommendations

Immediate Actions

Organizations running Langflow should implement the following emergency measures within 24 hours.

The single most effective mitigation is upgrading to Langflow 1.9.0 or later. The vulnerability is patched in version 1.9.0, and the current release as of June 10, 2026 is version 1.10.0 (langflow-base package version 0.8.3+). Running pip install --upgrade langflow or updating the relevant container image accomplishes this and is the highest-priority step for any affected deployment [2].

Organizations should simultaneously audit internet exposure using network scanning tools or cloud security posture management (CSPM) tooling to identify any Langflow instances that are directly internet-accessible. Any such instance that cannot be immediately upgraded should be isolated behind a firewall or VPN and taken offline until patched. The combination of internet accessibility and an unpatched Langflow installation should be treated as a production incident regardless of whether exploitation has been confirmed.

Where an immediate upgrade is not possible, disabling auto-login provides meaningful interim protection. Setting the LANGFLOW_AUTO_LOGIN environment variable to false and configuring explicit authentication raises the bar for exploitation by eliminating the unauthenticated access path, though it does not remediate the underlying path traversal flaw and should be treated as a temporary measure pending full upgrade.

Organizations should also conduct active threat hunting across all Langflow hosts, regardless of patching status. Inspection targets include cron directories (/etc/cron.d/, /etc/crontab, /var/spool/cron/), SSH authorized_keys files, and web-accessible directories for unexpected file additions. Access logs for the POST /api/v2/files endpoint should be reviewed for requests containing ../ sequences or targeting paths outside the expected upload directory.

Short-Term Mitigations

Beyond emergency response, organizations should implement the following hardening measures in the days following this advisory.

Langflow should not run as root. Container configurations and systemd service units should specify a non-privileged user account, limiting the damage achievable if the web application process is compromised. This does not prevent file writes but eliminates the root-level cron injection path. Similarly, the Langflow process should be confined to a chroot environment or container with a read-only root filesystem and a dedicated, writable upload volume mounted at only the intended path, preventing traversal outside the upload sandbox even if a new path traversal vulnerability emerges.

Network access policies should enforce the principle of least exposure. Langflow instances should be reachable only from application servers, developer workstations, and CI/CD systems that legitimately need access, not from the public internet. A web application firewall (WAF) rule blocking multipart uploads containing ../ in the filename parameter provides a short-term detection and blocking layer while upgrade is coordinated, though organizations should note that directory traversal sequences can be encoded in ways—such as URL encoding (%2e%2e%2f) or double encoding—that may bypass naive string matching.

API key and credential management for services integrated with Langflow should be reviewed. Credentials stored in Langflow’s configuration or environment variables should be rotated following any confirmed or suspected exploitation, and access logs for connected LLM APIs and databases should be reviewed for anomalous usage patterns consistent with credential theft.

Strategic Considerations

The sustained exploitation of Langflow vulnerabilities in 2026 reflects a broader strategic challenge for AI-adopting organizations: developer-facing AI platforms are increasingly becoming high-value targets that live outside traditional security hardening processes. The rapid adoption of tools like Langflow in environments without commensurate security investment creates a class of exposed infrastructure that adversaries have clearly identified and are actively exploiting.

Organizations building AI workflows should apply the same security lifecycle discipline to AI development platforms that they apply to production application servers: mandatory patch management SLAs, routine vulnerability scanning, privileged access controls, secrets management for all API keys stored in or accessible from the platform, and network micro-segmentation. These tools are not exempt from enterprise security policy because they are used by data scientists or AI engineers rather than software engineers.

Security teams should also account for the systemic risk of AI platform compromise in their threat models. A single compromised Langflow node in a multi-agent architecture may enable lateral movement to downstream agents, manipulation of prompts or RAG corpora affecting AI-generated outputs, and exfiltration of proprietary AI workflow logic that represents competitive intellectual property. These scenarios should be included in tabletop exercises and incident response planning for organizations that have deployed Langflow or comparable platforms at scale.

CSA Resource Alignment

The CSA AI Safety Initiative has developed several frameworks that are directly applicable to the risk environment illustrated by CVE-2026-5027.

MAESTRO (Multi-Agent Environment, Security, Threat, Risk, and Outcome) is CSA’s threat modeling framework for agentic AI systems, introduced in February 2025 [7]. CVE-2026-5027 is a textbook example of an infrastructure-layer vulnerability—Layer 6 in MAESTRO’s seven-layer model—that cascades to compromise agent orchestration and connected systems. MAESTRO explicitly calls out the risk of compromised agent execution environments as a threat vector with cross-layer consequences, which aligns with the scenario where a Langflow server compromise can manipulate agent behavior, expose tool credentials, and pivot into connected data systems. Organizations using MAESTRO to threat-model their agentic pipelines should include the agent orchestration platform itself, and its file-handling endpoints, as explicit attack surfaces.

CSA AI Controls Matrix (AICM) provides 243 control objectives across 18 security domains for AI systems, with specific applicability to application providers and orchestrated service providers—both roles that a Langflow operator occupies [8]. Controls addressing patch management, network exposure, authentication enforcement, and secrets management are all relevant to mitigating CVE-2026-5027 and the class of vulnerabilities it represents. The AICM’s mapping to ISO 27001 and NIST AI RMF provides a compliance bridge for organizations that need to document their AI platform security posture against recognized standards.

CSA STAR (Security, Trust, Assurance, and Risk) provides a framework for third-party assessment and continuous monitoring of cloud and AI services. Organizations that use Langflow-based services provided by third parties—whether as a managed AI development platform or as an embedded workflow component—should verify that those providers have completed STAR-level assessments and can demonstrate active vulnerability management programs covering their AI platform dependencies.

CSA Zero Trust Guidance is foundational to containing the blast radius of platform compromises. The default auto-login behavior that compounds CVE-2026-5027 is the antithesis of zero trust: it grants implicit trust to any network requestor without identity verification. CSA’s zero trust architecture guidance recommends explicit identity verification at every service boundary, which should apply to AI development platforms as forcefully as it applies to traditional enterprise applications. Network segmentation, per-service credentials, and lateral movement controls recommended in CSA zero trust frameworks would have materially reduced the exploitability and impact of this vulnerability class.

CSA Agentic AI Red Teaming Guide was developed to help organizations proactively identify vulnerabilities in agentic AI deployments [9]. The guide’s coverage of infrastructure attack paths—including those targeting the orchestration platforms rather than the AI models themselves—provides actionable testing methodology for identifying Langflow-class exposures before adversaries do. Organizations that have not red-teamed their Langflow deployments should treat this advisory as a prompt to do so.

References

[1] The Hacker News. “Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE.” The Hacker News, June 10, 2026.

[2] BleepingComputer. “Path traversal flaw in AI dev platform Langflow exploited in attacks.” BleepingComputer, June 10, 2026.

[3] langflow-ai. “Langflow: Powerful tool for building and deploying AI-powered agents and workflows.” GitHub.

[4] Sysdig Threat Research Team. “CVE-2026-33017: How attackers compromised Langflow AI pipelines in 20 hours.” Sysdig, 2026.

[5] CrowdSec. “CVE-2026-21445: Langflow Authentication Bypass Under Active Exploitation.” CrowdSec, 2026.

[6] Vulert. “CVE-2025-34291 & CVE-2026-34926 Added to CISA KEV — Actively Exploited.” Vulert, 2026.

[7] Cloud Security Alliance. “Agentic AI Threat Modeling Framework: MAESTRO.” CSA Blog, February 6, 2025.

[8] Cloud Security Alliance. “AI Controls Matrix.” CSA, July 2025.

[9] Cloud Security Alliance. “Agentic AI Red Teaming Guide.” CSA AI Safety Initiative, 2025.

[10] CISA. “Known Exploited Vulnerabilities Catalog.” Cybersecurity and Infrastructure Security Agency.

[11] JFrog Security Research. “Langflow CVE-2026-33017: Latest ‘fixed’ version is still exploitable.” JFrog, 2026.

[12] Infosecurity Magazine. “Hackers Exploit Critical Langflow Bug in Just 20 Hours.” Infosecurity Magazine, 2026.