What happened
CVE-2026-5027 is a path traversal vulnerability in Langflow's file-upload endpoint that allows unauthenticated attackers to write arbitrary files to the server filesystem, leading to RCE. Active exploitation was confirmed by The Stack in an article published 2026-06-15T22:22:34Z (verified via web_fetch: page title 'Langflow instances are getting exploited – again', meta description 'A critical vulnerability in AI toolkit Langflow, CVE-2026-5027, is getting exploited in the wild — but has yet to hit CISA's KEV'). This is a repeat exploitation pattern following earlier Langflow RCE incidents.
Why it matters
Langflow is used to build and host multi-agent AI workflows with access to datastores, APIs, and LLM provider keys. Unauthenticated RCE on an exposed instance gives attackers full control of agent pipelines, access to all connected credentials and vector databases, and the ability to manipulate or exfiltrate AI workflow data. The article notes instances are commonly left on public IPs with default auth — widening the effective blast radius.
Attack vector
Unauthenticated attacker sends a crafted multipart POST to the file-upload endpoint (/api/v2/files) with an unsanitized 'filename' parameter containing path-traversal sequences, writing an arbitrary file (e.g. a web shell) to the filesystem and achieving remote code execution.
Affected systems
Langflow < 1.9.0
Mitigation
Patch to Langflow 1.9.0; place all instances behind a VPN or reverse proxy with authentication enforced; restrict public IP exposure. Advisory: https://www.thestack.technology/langflow-instances-are-getting-exploited-again/