The Bottom Line: Path-traversal flaw CVE-2026-5027 in Langflow enables remote code execution and is actively exploited, though a patch has been available since April.
Organizations using the open-source Langflow platform are being urged to patch a path-traversal security vulnerability that is already under active exploitation—despite a fix having been available for more than two months. The flaw allows attackers to write files to arbitrary locations on the system and potentially achieve remote code execution.
CVE-2026-5027 is a path-traversal vulnerability in Langflow’s POST endpoint /api/v2/files with a CVSS score of 8.8. The defect lies in improper validation of the filename parameter from multipart form data, allowing attackers to inject traversal sequences such as “../” and place files outside the designated upload directory. Langflow versions through 1.8.4 are affected; the patch has been included since version 1.9.0 released on April 15, 2025—73 days after initial vendor notification.
A critical factor is Langflow’s default auto-login functionality, which allows unauthenticated users with a valid session to reach the vulnerable endpoint without credentials. EQST Lab demonstrated via publicly available proof-of-concept that the arbitrary file-write capability can lead to remote code execution when auto-login is enabled. Researchers explain that by controlling file content and target location, attackers can overwrite application files, modify startup or scheduled tasks, or achieve persistence through shell initialization.
Exploitation of CVE-2026-5027 has already been observed, and VulnCheck has confirmed the vulnerability is currently being exploited. The Iranian hacker group MuddyWater is reported to be conducting these attacks. With public exploit code available, the barrier to entry for opportunistic attackers is lowered. The Cloud Security Alliance reports that approximately 7,000 Langflow instances are directly reachable on the internet.
Security experts point out that many organizations have expanded their attack surface by rapidly deploying AI tools without hardening them like production web applications. Langflow, along with Flowise, n8n, and Dify, are often run with default authentication settings enabled on public IP addresses for demonstrations, while responsibility for patching remains unclear.
Source: www.csoonline.com · Published June 15, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrasing and classification via Lumi News Pipeline v1.7.1.