Langflow CVE-2026-5027: AI Dev Platform Under Active Attack

Langflow, one of the more popular open-source platforms for building visual AI agent workflows, has a CVSS 8.8 path traversal vulnerability under active exploitation. CVE-2026-5027 allows unauthenticated attackers to write files to arbitrary locations on the host running Langflow, and that file write primitive is enough to get code execution on most real-world deployments. The fix is in version 1.9.0, released in May 2026. If you’re running Langflow in any form, you need to check your version now.

What the Vulnerability Is

Langflow’s /api/v2/files endpoint handles file uploads used in AI workflows, including documents fed into RAG pipelines and data sources. The endpoint did not adequately sanitise path components in upload requests. An attacker could craft a request that traversed out of the intended upload directory and wrote content to an arbitrary path on the filesystem.

A secondary vulnerability, CVE-2026-42867, exists in the Knowledge Bases API. It shares the same class of flaw and similar impact. Both were patched together in the 1.9.0 release.

The exploitation path from file write to code execution is short. On a typical Langflow deployment, writing to the Python application directory or overwriting a startup script delivers execution in the context of the Langflow service process, which often runs as root in containerised deployments or with broad local access in virtual machine installations.

What Attackers Are After

Langflow is an attractive target for a specific reason: it sits between AI providers and your data. A typical Langflow deployment has the following wired in:

• API keys for OpenAI, Anthropic, or other LLM providers
• Embeddings provider credentials (OpenAI, Cohere, etc.)
• Vector database connection strings (Pinecone, Qdrant, Weaviate, Chroma)
• Document sources, either local filesystems or cloud storage buckets
• Potentially internal APIs wired in as tools for agent workflows

Compromising the Langflow host gives an attacker all of this at once. Credential theft for LLM provider API keys is the immediate financial exposure, but access to the underlying data sources and the ability to modify workflow behaviour — injecting malicious prompts into AI pipelines, for example — represents a longer-term threat.

Post-exploitation activity observed in some in-the-wild cases includes deployment of cryptocurrency miners, which is opportunistic rather than targeted but confirms that automated scanners are actively finding and exploiting exposed instances.

Exposure Surface

Langflow instances are widely exposed on the internet. Shodan and Censys scanning of the default port shows thousands of instances reachable from the public internet, many running versions prior to 1.9.0. Langflow is frequently run in development and staging environments where network hardening is less rigorous than production. Developers using Langflow locally with default settings and no authentication enabled are not affected by internet-originated attacks, but cloud-hosted instances and any deployment on a network-accessible server are at risk.

Langflow itself includes an authentication layer that can be enabled in configuration. With authentication enabled, the /api/v2/files endpoint still requires a valid session token to access, which mitigates the unauthenticated exploitation path. Many deployments run with authentication disabled for convenience, particularly in development and team environments.

What to Do

Upgrade to Langflow 1.9.0 or later. This is the primary remediation. The patch addresses both CVE-2026-5027 and CVE-2026-42867. Update via pip:

pip install langflow --upgrade
# or
pip install langflow-base --upgrade

If you cannot patch immediately, restrict network access to your Langflow instance. The endpoint is only exploitable by attackers who can reach it over the network. A host-based firewall rule or network security group limiting access to trusted IP ranges eliminates remote exploitation for CVE-2026-5027.

Enable authentication in Langflow configuration if you haven’t already. This adds a credential requirement to API endpoints and provides a layer of defence even for unauthenticated endpoints, depending on how the session validation is implemented in future versions.

Audit your Langflow host for signs of compromise. If you’ve been running a pre-1.9.0 version with network access, check for:

• Unexpected files in the Langflow application directory
• Unfamiliar processes launched by the Langflow service account
• New cron entries or startup scripts
• Unexpected outbound connections from the Langflow host
• Rotated or unexpectedly accessed API keys for connected AI providers

Rotate API keys for any AI provider or vector database connected to a potentially compromised Langflow deployment, regardless of whether you find evidence of exploitation.

Pattern Worth Noting

Langflow CVE-2026-5027 follows a pattern that’s been consistent across the AI framework vulnerability wave of 2026. LiteLLM had an unauthenticated RCE (CVE-2026-42271). LangGraph had a checkpoint SQLi chain. Semantic Kernel had two RCEs. In each case, the framework was running with elevated privileges and extensive credential access, and a path traversal or injection flaw delivered the keys to everything connected to it.

The structural risk is that AI frameworks are credential aggregators by design. They need access to LLM providers, data sources, and tool APIs to function. Security tooling hasn’t caught up to the threat surface. Teams running AI development infrastructure should apply the same network isolation and least-privilege principles as any other privileged internal service.

References

• BleepingComputer: Path traversal flaw in AI dev platform Langflow exploited in attacks
• The Hacker News: Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE
• Orca Security: CVE-2026-5027 Langflow Path Traversal RCE Vulnerability