Langflow CVE-2026-5027: unauthenticated file write to RCE under active attack

What is this?

CVE-2026-5027 (CVSS 8.8) is a path-traversal flaw in Langflow, the open-source low-code platform used to build LLM agents, RAG pipelines, and AI workflows. The bug lets an attacker write files to arbitrary locations on the host filesystem through the file-upload endpoint. On June 9, 2026, VulnCheck reported that the flaw is being exploited in the wild, and The Hacker News covered the active exploitation on June 10. Censys data cited in that coverage puts roughly 7,000 Langflow instances publicly exposed on the internet, most of them in North America.

The vulnerability was found by Tenable, which published advisory TRA-2026-26 on March 27, 2026 after three unanswered contact attempts to the maintainers in January and February. It was fixed in Langflow 1.9.0, released April 15, 2026. This is a disclosed-and-patched issue we cover defensively — the danger now is the large population of stale, internet-facing deployments, not any secret technique.

How it works

The defect is mundane and well understood: the POST /api/v2/files endpoint takes a filename from multipart form data and does not sanitize it. Tenable’s write-up states that an attacker can supply directory-traversal sequences (../) in that field to escape the intended upload directory and drop a file anywhere the Langflow process can write.

Request path:   POST /api/v2/files
Tainted field:  multipart "filename"  ->  contains "../" sequences
Sink:           file is written using the attacker-controlled path
Result:         arbitrary file write outside the upload directory

Two design choices turn an arbitrary file write into unauthenticated remote code execution:

• Auto-login by default. As VulnCheck’s Caitlin Condon noted, Langflow enables unauthenticated auto-login out of the box, so a single unauthenticated request yields a valid session token before exploitation even begins. No credentials are needed to reach the endpoint.
• Write-to-execute pivots. An arbitrary write becomes code execution through familiar routes — overwriting a configuration file, planting a startup or cron entry, or replacing a file that the application later imports or runs. This is the same write-primitive-to-RCE pattern seen across AI agent frameworks.

Per the public reporting, current exploitation is still coarse — attackers are dropping harmless test files to fingerprint vulnerable hosts, a typical precursor to weaponized payloads. We do not publish a working exploit; the mechanism above is enough to understand and remediate the exposure.

Why it matters

Langflow sits at the center of AI build pipelines, frequently wired to API keys, vector stores, model endpoints, and internal services. A host running Langflow is rarely just one box — it is a hinge into the surrounding environment. Arbitrary file write as an unauthenticated user on such a host is close to a worst case.

The timing compounds the risk. The fix shipped in mid-April, but exploitation went live in June against the long tail of unpatched servers — the same dynamic we flagged in the open-source AI vulnerability flood and in the count of a million exposed AI services. CVE-2026-5027 is also not Langflow’s first rodeo this year: it follows CVE-2026-33017, CVE-2026-0770, CVE-2026-21445, and CVE-2025-34291 — the last of which was weaponized by the Iranian state-linked group MuddyWater. A tool under sustained attacker attention deserves to be treated as a high-value target, not a developer convenience.

Defenses

• Patch now. Upgrade to Langflow 1.9.0 or later. This is the only complete fix; everything else is mitigation.
• Kill default auto-login. Require real authentication and disable unauthenticated auto-login. The single-request-to-session-token property is what makes this remotely exploitable at scale.
• Get Langflow off the public internet. Place it behind a VPN, reverse proxy with authentication, or IP allowlist. Roughly 7,000 instances are reachable today; yours should not be one of them.
• Constrain the process. Run Langflow as a low-privilege, read-only-where-possible user in a container; mount its working directories noexec and minimize what an arbitrary write could overwrite or execute.
• Rotate exposed secrets. If an instance was internet-facing while unpatched, treat connected API keys, model credentials, and database secrets as potentially compromised and rotate them.
• Hunt for the write primitive. Search logs for POST /api/v2/files requests whose filename contains .., and check for unexpected files in config, cron, or startup paths. Test-file drops are the current indicator of compromise.

Status

Item	Detail
CVE	CVE-2026-5027 (CVSS 8.8)
Class	Path traversal → arbitrary file write → RCE
Endpoint	POST /api/v2/files (unsanitized filename)
Reach	Unauthenticated (default auto-login)
Discovered by	Tenable — advisory TRA-2026-26
Disclosed	March 27, 2026 (after 3 contact attempts Jan–Feb)
Patched	Langflow 1.9.0, April 15, 2026
Active exploitation	Confirmed by VulnCheck, June 9, 2026
Exposure	~7,000 public instances (Censys), mostly North America

The durable lesson is unglamorous: a classic web bug — unsanitized filename, path traversal — is just as devastating in an AI orchestration platform as in any other web app, and a patch in a repo does nothing for the thousands of servers that never apply it. Treat AI build infrastructure as production infrastructure: authenticate it, isolate it, patch it on a schedule, and assume attackers are scanning for it today.