By ByteBot
Langflow — the drag-and-drop AI agent and RAG workflow builder running on hundreds of thousands of developer machines — has an actively exploited path traversal vulnerability. No credentials required. VulnCheck confirmed in-the-wild attacks on June 8, 2026. Censys found roughly 7,000 publicly exposed instances. If you’re running Langflow before 1.9.0 anywhere internet-accessible, stop reading and upgrade to 1.10.0 first.
What the Vulnerability Actually Does
CVE-2026-5027 lives in Langflow’s file upload endpoint — specifically POST /api/v2/files. The upload_user_file() function passes the client-supplied filename directly to the storage layer without sanitizing it. Drop ../ sequences into the filename, and you can write files to arbitrary locations on the server’s filesystem, far outside the intended upload directory.
The path from arbitrary file write to remote code execution is well-understood: overwrite a configuration file, drop a script into an executable location, poison a file that gets loaded at runtime. Observed attack traffic so far shows reconnaissance writes — attackers checking whether exploitation works before they do anything louder.
The reason this is especially bad: Langflow enables unauthenticated auto-login by default. Most default deployments let any user who reaches the web interface in without credentials. That means the upload endpoint is reachable by anyone who can hit your server, with no login step in between.
How Bad Is the Exposure
Censys found approximately 7,000 Langflow instances accessible from the public internet, most in North America. The CVSS score is 8.8. CISA added CVE-2026-5027 to its Known Exploited Vulnerabilities catalog and directed federal agencies to patch by the June deadline. A public proof-of-concept exploit landed on GitHub on June 12 — today — which means the attack surface just widened significantly. If you were waiting to see if this was real, stop waiting.
What’s sitting on a typical Langflow server is worth noting: API keys for OpenAI, Anthropic, and Google AI in environment variables; vector database credentials for Pinecone or Weaviate; possibly AWS or GCP access keys; and the documents your RAG pipeline was trained on. Langflow is usually the hub of an AI stack, not a peripheral tool. That makes it a high-value target.
Langflow’s Third Critical RCE in Twelve Months
This is not a freak accident. It’s the third time in roughly twelve months that a critical, unauthenticated RCE has landed in Langflow — and each one has been exploited in the wild.
| CVE | CVSS | Type | Exploited | Fixed In |
|---|---|---|---|---|
| CVE-2025-3248 | 9.8 | Unauthenticated exec() on validate endpoint | Yes — Flodrix botnet | 1.3.0 |
| CVE-2025-34291 | 9.4 | CORS + CSRF + code execution chain | Yes — January 2026 | Patched 2025 |
| CVE-2026-5027 | 8.8 | Path traversal to file write to RCE | Yes — June 8, 2026 | 1.9.0 / 1.10.0 |
The common thread is obvious. Each vulnerability traces back to two things: open defaults that expose functionality without authentication, and missing input validation on data that comes from users. These are not novel attack categories. They are the same mistakes that plagued web frameworks in 2010. The difference is that AI dev tools are being built at a pace where security testing is, charitably, an afterthought.
DataStax and the Langflow team have been responsive when vulnerabilities surface — patches have followed within reasonable windows. But three exploited critical CVEs in twelve months from the same root causes signals something deeper than a one-off oversight.
How to Fix It
Upgrade to Langflow 1.10.0. That’s the recommended version as of June 2026. Minimum safe version is 1.9.0, released April 15, 2026 — more than six weeks ago. If you’re behind that, you’ve been vulnerable for a while.
Check your version:
pip show langflow | grep VersionUpgrade:
pip install --upgrade langflowBeyond upgrading, harden your deployment:
- Keep Langflow off the public internet. It’s a developer tool, not a production web app. Put it behind a VPN or restrict to internal IPs.
- Disable auto-login if your deployment does not need it. Forcing authentication reduces the attack surface for any future endpoint-level vulnerabilities.
- Rotate your credentials if you’ve been running a vulnerable version with public exposure. Treat any environment variables on that server as compromised.
If you’re on DataStax’s cloud-hosted Langflow, the patch has been applied on their end — but verify your organization’s configuration settings have not left anything exposed.
The Bigger Picture
Langflow is not uniquely careless. It’s the most visible current example of a broader problem: AI development platforms are being built at startup speed for developer productivity, and security is getting left behind. These tools run with elevated permissions, hold credentials to half your stack, and are routinely exposed to the internet for demos and collaboration. They’re exactly what attackers look for.
Dark Reading found that 48% of security professionals now identify agentic AI as their top attack vector for 2026. The same threat actors behind this year’s TrapDoor npm campaign and the Miasma GitHub Actions worm are moving up the stack — toward the tools developers use to build AI systems. Langflow will not be the last target.
Treat your AI development tooling the way you treat your production web applications: with authentication enforced, inputs validated, secrets rotated regularly, and access restricted by default. The days when a Langflow instance “only I know about” was safe are over.
