◈ AI Security Intelligence ← Daily feed
Vulnerability  ·  2026-06-15

Langflow AI Platform Path Traversal → Unauthenticated RCE Actively Exploited (CVE-2026-5027)

VulnerabilityHigh impactGlobalCVE-2026-5027
What happened
Langflow's POST /api/v2/files file-upload endpoint fails to sanitize the 'filename' parameter in multipart form data, allowing attackers to write arbitrary files anywhere on the host filesystem via ../ path traversal sequences. Because Langflow ships with unauthenticated auto-login enabled by default, no credentials are required — a single unauthenticated HTTP request yields a valid session token. VulnCheck honeypots detected in-the-wild exploitation beginning June 8–10, 2026, with attackers dropping test files on vulnerable instances as a precursor to cron-based reverse shells. Approximately 7,000 Langflow instances are publicly exposed on the internet. Tenable publicly disclosed on March 27 after three failed vendor contact attempts; patches landed in langflow-base 0.8.3 and Langflow 1.10.0 (released June 10, 2026).
Why it matters
Langflow is a widely-used visual platform for building AI agents, RAG pipelines, and MCP-based workflows (149,000+ GitHub stars). Exploitation grants unauthenticated root-level code execution on the host running the AI orchestration layer, allowing an attacker to exfiltrate model API keys, poison agent memory/data, redirect agent tool calls, or pivot deeper into the AI infrastructure. This is the second Langflow RCE actively exploited in 2026, and nation-state group MuddyWater has previously been linked to Langflow exploitation.
Attack vector
Unauthenticated HTTP POST to /api/v2/files with ../ sequences in the filename parameter; auto-login default provides session token without credentials, enabling direct file write to /etc/cron.d/ or web-shell placement for RCE
Affected systems
Langflow < 1.9.0 (application), langflow-base < 0.8.3; all versions with AUTO_LOGIN enabled and public internet exposure
Mitigation
Upgrade to Langflow 1.10.0 (langflow-base 0.8.3). Disable AUTO_LOGIN (set LANGFLOW_AUTO_LOGIN=false). Block public internet exposure to port 7860. If exposed prior to patching, assume compromise and audit filesystem for unauthorized cron jobs and web shells. Advisory: https://www.bleepingcomputer.com/news/security/path-traversal-flaw-in-ai-dev-platform-langflow-exploited-in-attacks/
Sources
BleepingComputer — Path traversal flaw in Langflow exploited in attacks (Jun 10, 2026)Tenable Advisory TRA-2026-26The Hacker News — Langflow CVE-2026-5027 (Jun 2026)SecurityWeek — Hackers Exploit Langflow Vulnerability for RCE (Jun 11, 2026)
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →