Skip to content
hacker_posts

Langflow CVE-2026-5027 exploited; fix shipped but unlabelled

VulnCheck added CVE-2026-5027 to its KEV on June 8 after detecting in-the-wild exploitation. Path traversal in /api/v2/files yields unauth RCE; ~7,000 instances are publicly exposed.

Published 4 min read
cvelangflowkevrceadvisory

CVE-2026-5027 — a path-traversal-to-RCE flaw in Langflow, the open-source visual builder for LLM applications — was added to VulnCheck's Known Exploited Vulnerabilities catalog on June 8, 2026 after Canary sensors observed first-time in-the-wild exploitation. CVSS v3.1 is 8.8 (High). The bug was first disclosed publicly by Tenable Research on March 27, 2026, after three contact attempts to the project maintainers in January and February 2026 went unanswered. No release notes ever tagged a security fix — yet, per Snyk's advisory (March 30, 2026), the underlying code has been patched in langflow-base 0.8.3 and Langflow 1.9.0 for weeks. The result: a CVE that is simultaneously patched in shipped code and unpatched on every operator who reads release notes.

What the bug does

The POST /api/v2/files endpoint does not sanitise the filename field of the multipart form data. A request carrying ../../path/to/target as the filename writes the uploaded body to an arbitrary location on the underlying filesystem. Dropped inside Langflow's component-loading paths, the primitive flips from file write to remote code execution.

The unauthenticated angle comes from a second design choice. Langflow's default configuration enables auto-login: a single unauthenticated HTTP request returns a valid session token. An attacker chains the two — fetch a token, post a file with a traversal sequence, watch it execute — with no credentials anywhere in the request set.

Affected versions

  • Langflow < 1.9.0
  • langflow-base < 0.8.3

Anything older than those two cut-offs is in scope, regardless of deployment method (Docker image, pip install, hosted-but-self-managed). The default config that enables auto-login is the worst case; deployments that explicitly require authentication still let an authenticated attacker write arbitrary files.

Exploitation status

VulnCheck reports that its Canary sensors recorded the first in-the-wild exploitation attempts on or before June 8, 2026 — the basis for the KEV addition that same day. The observed traffic carried path-traversal sequences and wrote what VulnCheck described as test files on victim systems. Writing a small canary file before staging anything heavier is the precursor most exploit kits use to fingerprint a working primitive.

BleepingComputer and The Hacker News reproduce VulnCheck's count of roughly 7,000 internet-exposed Langflow instances, with the heaviest concentration in North America. Neither outlet — nor VulnCheck — has published IOCs in IP, hash, or YARA form; if one materialises we'll update.

Action checklist

  1. Upgrade Langflow to 1.9.0 or later. If you depend on langflow-base directly, upgrade to 0.8.3 or later. Pin those minimums in your dependency manifest so a downgrade does not silently happen on the next image rebuild.
  2. Disable auto-login. Require credentials on every session. This breaks the unauthenticated path even on pre-patch instances and is the single best stopgap if upgrading is blocked.
  3. Pull Langflow off the public internet. Sit it behind a VPN or an authenticated reverse proxy. Self-service AI tooling has no business listening on a public port by default; "dev convenience" is exactly what made this campaign cheap.
  4. Hunt for unexpected files. Walk Langflow's writable directories for files modified after June 1 whose paths or names do not match the project's components/ and flows/ conventions. Unfamiliar .py or .json artefacts under those trees are the starting point.
  5. Block the traversal pattern at the edge. A WAF rule that rejects multipart filenames containing .. separators is a stopgap, not a fix. Pair it with the upgrade.

Context

This is the second Langflow CVE on a public exploited-vulnerability catalog in seven weeks. CVE-2025-34291 — a CORS-to-RCE chain — landed on CISA KEV on May 21, with a federal remediation deadline of June 4. CVE-2026-5027 lands on VulnCheck's KEV on June 8 with no security-tagged release in sight. The pattern is consistent: Langflow's authentication model presumes a single-tenant, trusted-network deployment, and the project keeps shipping that presumption into a world that runs it on the public internet.

What other outlets missed

Most secondary coverage repeats VulnCheck's "unpatched" framing without acknowledging the Snyk advisory pointing at langflow-base 0.8.3 and Langflow 1.9.0. The split matters operationally: defenders reading release notes for a CVE-tagged advisory will find none, conclude there is no fix, and either accept the risk or wait — when the right action is to upgrade to versions that have been available for months. The credibility issue is the vendor's, not VulnCheck's: shipping a security fix without labelling it as such is how an in-the-wild campaign finds a still-vulnerable estate to chew through.

Related stories