---
id: 2026-06-langflow-cve-2026-5027-path-traversal
title: "Langflow CVE-2026-5027 — unauthenticated path traversal → RCE via file upload endpoint (distinct from CVE-2026-33017)"
date_disclosed: 2026-06-16
last_updated: 2026-06-19
severity: high
status: patched
ecosystems: [pypi, ai-agents, langchain]
tools_affected: [langflow, langflow-backend]
tags: [cve, path-traversal, rce, pre-auth, ai-agents, file-upload, actively-exploited]
---

## TL;DR

**CVE-2026-5027** (CVSS 8.8) — **Langflow's file-upload endpoint** (`POST /api/v2/files`) accepts a caller-controlled `filename` parameter with no path sanitization. An unauthenticated attacker (Langflow auto-login is enabled by default) can write arbitrary files to arbitrary paths on the server filesystem → remote code execution. This is a **distinct vulnerability** from [CVE-2026-33017](2026-03-langflow-rce.md) (the earlier flow-build RCE that reached CISA KEV). Approximately **7,000 Langflow instances** were internet-facing at the time of disclosure; the flaw was being **actively exploited in the wild** at time of publication. **Fixed in Langflow 1.10.0** (addressed in 1.9.0 on 2026-04-15).

## What happened

**Langflow** is a popular visual drag-and-drop AI agent/workflow builder built on LangChain. It is widely deployed by vibe coders to orchestrate multi-step AI pipelines with LLM integrations, database connections, and tool calls.

In June 2026, researchers disclosed **CVE-2026-5027**: a path traversal vulnerability in the `POST /api/v2/files` endpoint. The `filename` field in the multipart upload request was not sanitized — an attacker could supply a filename like `../../../../../../etc/cron.d/backdoor` and write content to arbitrary filesystem paths.

**Why this is unauthenticated by default:** Langflow ships with **auto-login enabled** — no credentials are required for API access unless an administrator explicitly enables authentication. The vast majority of self-hosted Langflow instances use the default configuration.

**RCE path:** Writing a malicious Python module to a path inside Langflow's `site-packages/` directory, or overwriting a `.pth` file (Python path hook) in `site-packages/`, causes the payload to execute at Langflow's next startup or next `import`. Alternatively, writing to `/etc/cron.d/` (Linux) achieves scheduled persistence.

**Relationship to CVE-2026-33017:**

| | CVE-2026-33017 | CVE-2026-5027 |
|---|---|---|
| Disclosed | March 2026 | June 2026 |
| Endpoint | Flow build/execution endpoint | `/api/v2/files` file upload |
| Root cause | Code injection via flow node execution | Path traversal in filename parameter |
| CVSS | 9.8 (Critical) | 8.8 (High) |
| CISA KEV | Yes | No (at time of writing) |
| Fixed version | 1.4.0 / 1.3.6 | 1.10.0 (addressed 1.9.0) |

Both CVEs are **independently exploitable** and both are **actively exploited in the wild**. Patching for CVE-2026-33017 does **not** protect against CVE-2026-5027.

**Scale:** Approximately **7,000 Langflow instances** were estimated to be internet-facing at the time of disclosure. Active exploitation indicators were reported by threat intelligence feeds.

## Am I affected?

```bash
# Check your Langflow version
pip show langflow 2>/dev/null | grep Version
langflow --version 2>/dev/null

# Check if auto-login is enabled (default: true)
cat ~/.langflow/.env 2>/dev/null | grep -i auto_login
# or check the Langflow startup config

# Check if the endpoint is reachable from the internet
curl -s http://localhost:7860/api/v2/files -X OPTIONS 2>/dev/null
```

You are affected if:
1. You run Langflow **< 1.10.0** (or < 1.9.0 if you have been patched since April 15, 2026)
2. Your Langflow instance is reachable from the public internet or from any untrusted network

If auto-login is enabled (the default), **no authentication** is required to exploit this.

### IOCs

| Type | Value |
|---|---|
| CVE | `CVE-2026-5027` |
| CVSS | 8.8 (High) |
| Affected versions | Langflow < 1.9.0 |
| Fixed version | Langflow 1.9.0 (2026-04-15) / 1.10.0 |
| Vulnerable endpoint | `POST /api/v2/files` |
| Attack vector | `filename` parameter path traversal |
| Authentication required | No (auto-login enabled by default) |
| Exploitation status | Actively exploited in the wild |
| Estimated exposed instances | ~7,000 |
| Related CVE | CVE-2026-33017 (distinct; both actively exploited) |

## If you are affected

1. **Upgrade Langflow to 1.10.0 immediately.** This is the cleanest fix; 1.9.0 addressed the file-upload path traversal but 1.10.0 includes additional hardening.
2. **Treat the host as compromised** if you ran Langflow < 1.9.0 while internet-facing. Assume arbitrary files were written.
3. **Audit the filesystem** for unexpected files in `site-packages/`, `/etc/cron.d/`, `/tmp/`, or Langflow's working directory. Look for `.pth` files added since March 2026.
4. **Rotate all credentials** accessible from the Langflow host — LLM API keys, cloud IAM credentials, database passwords, and any secrets in Langflow's configured integrations.
5. **Enable authentication** in Langflow (`AUTO_LOGIN=false` and configure OAuth/email auth) — do not rely on network isolation alone.
6. **Firewall the port** (`7860` by default) — Langflow should not be directly internet-facing without a reverse proxy + authentication layer.
7. See [playbooks/rotating-cloud-credentials.md](../playbooks/rotating-cloud-credentials.md).

## Prevention

- **Enable authentication:** Set `AUTO_LOGIN=false` in Langflow's environment and configure user authentication. All vibe-coded Langflow instances should require credentials.
- **Never expose Langflow directly to the internet.** Use a reverse proxy (nginx/Caddy/Cloudflare Tunnel) with authentication in front of it.
- **Pin to a release and update promptly.** Langflow has had two independently-exploited CVEs in three months (March + June 2026). Subscribe to [langflow-ai/langflow](https://github.com/langflow-ai/langflow/releases) release notifications.
- **Treat disclosure-to-exploit as < 24 hours** for any AI-framework CVE. The [LiteLLM](2026-04-litellm-sql-injection.md) and [PraisonAI](2026-05-praisonai-auth-bypass.md) baselines confirm this cadence.
- → [prevention/agent-sandboxing.md](../prevention/agent-sandboxing.md)

## Sources

- [The Hacker News — CVE-2026-5027: Langflow Path Traversal Lets Attackers Write Files via Upload Endpoint](https://thehackernews.com) — primary disclosure; path traversal; auto-login default; 7,000 exposed instances; active exploitation.
- [BleepingComputer — New Langflow Flaw CVE-2026-5027 Exploited in the Wild, Distinct from March CVE-2026-33017](https://bleepingcomputer.com) — distinction from prior CVE; attack timeline; RCE path.
- [SecurityWeek — Langflow Vulnerability CVE-2026-5027 Actively Exploited, Patch to 1.10.0](https://securityweek.com) — CVSS score; exploitation confirmation; fix version.
- [CybersecurityNews — Langflow RCE Via File Upload Path Traversal (CVE-2026-5027): Thousands of Instances at Risk](https://cybersecuritynews.com) — exposure scale; endpoint detail.
- [NVD — CVE-2026-5027](https://nvd.nist.gov/vuln/detail/CVE-2026-5027) — canonical CVE record; CVSS 8.8.
- Cross-link: [Langflow CVE-2026-33017 RCE (March 2026)](2026-03-langflow-rce.md) — prior actively-exploited Langflow CVE; both are independently in the wild.
