CVE-2026-5027

Confirmed PUBLISHED

Langflow - Path Traversal Arbitrary File Write via upload_user_file

langflow-ai · langflow

Not yet in CISA KEV

Exploited in the wild Active exploitation observed PoC available

Recommended Action

Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.

Confidence
Confirmed
Exploitation Status
Active exploitation observed
Observed in Sensors
Yes
Attempts (30d)
3
Unique Attacker IPs
2
CISA KEV
Not yet in CISA KEV
CVSS / EPSS
8.8 High EPSS 31.4%

At a Glance

The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../').

nuclei_scanner
CVE Published
Mar 27, 2026
Exploitation Reported
Jun 10, 2026
CVSS
8.8 High
EPSS
31.4%
Remote Low complexity No user interaction

Affected Versions

Vendor Product Version Status
langflow-ai
langflow

0

Affected

CVE References

Recommended Actions

  • Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.
  • Review sensor telemetry for request paths, attacker IPs, and payload patterns that may inform detection and exposure validation.
  • Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.