The Bottom Line: Langflow instances are under active attack via CVE-2026-5027 (patch available since April), which enables arbitrary file writes and remote code execution – particularly critical with default authentication and internet accessibility.
A security vulnerability (CVE-2026-5027, CVSS 8.8) in the open-source Langflow platform is under active exploitation, despite a patch having been available for over two months. The vulnerability allows attackers to write files to arbitrary system locations and, under certain conditions, achieve full code execution.
The flaw affects the POST endpoint /api/v2/files in Langflow and stems from inadequate validation of the “filename” parameter during file uploads. Attackers can use path traversal sequences like “../” to place files outside the intended upload directory. The issue is compounded by Langflow’s default behavior of enabling auto-login – which means attackers need no credentials to access the vulnerable interface.
The vulnerability affects Langflow versions up to 1.8.4. It was initially reported to the vendor but only received a fix on April 15, 2025, with the release of version 1.9.0 – 73 days later. Current versions such as 1.10.0 include the patch. According to the Cloud Security Alliance, approximately 7,000 Langflow instances are directly exposed on the internet. Security researchers from EQST Lab have demonstrated that arbitrary file write capability can escalate to remote code execution, particularly when auto-login is enabled.
Active exploitation of CVE-2026-5027 has already been confirmed; VulnCheck documented attacks involving file-drop attempts. Publicly available exploit code lowers the barrier to entry for opportunistic attackers. The vulnerability has also been attributed to Iranian state-sponsored group MuddyWater.
The risk is amplified by the fact that many organizations have rapidly deployed AI orchestration tools like Langflow without production-grade hardening. Default authentication settings frequently remain active, and instances run on public IP addresses because stakeholders required demo functionality – without clarity on responsibility for patching. This applies across the entire ecosystem of similar low-code platforms such as Flowise, n8n, and Dify.
Source: www.csoonline.com · Published June 15, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.1.