What happened
Prior to Langflow 1.9.2, all components based on BaseFileComponent (used in RAG/knowledge base flows) accept absolute file paths without sanitization. An attacker who controls a file ingested into a RAG pipeline can supply an absolute path to any file on the server filesystem, causing the node to read and expose it. CVSS 9.6 Critical, published 2026-06-23.
Why it matters
This weaponizes Langflow's own RAG pipeline against itself — an attacker who can influence file inputs (e.g. through a shared or public flow, or via IDOR per CVE-2026-55255) can exfiltrate arbitrary server files including /etc/shadow, SSH keys, .env files with LLM API keys, and model credentials through the AI pipeline's normal output channel.
Attack vector
Supply an absolute filesystem path (e.g. /etc/passwd) as a file input to any BaseFileComponent-derived RAG node in a Langflow flow; the node reads and processes the file, leaking contents via flow output
Affected systems
Langflow < 1.9.2
Mitigation
Upgrade to Langflow 1.9.2. PR fix: https://github.com/langflow-ai/langflow/pull/12945