A path traversal vulnerability in Langflow is being actively exploited to achieve remote code execution (RCE). CVE-2026-5027, which carries a CVSS score of 8.8 according to the NVD record, affects the POST /api/v2/files endpoint and allows an attacker to write arbitrary files to the filesystem. Approximately 7,000 Langflow instances are exposed to the internet, primarily in North America. The risk is exacerbated by the platform's default configuration: unauthenticated auto-login issues valid session tokens without requiring credentials.
- CVE-2026-5027 is a path traversal vulnerability in Langflow's
POST /api/v2/filesendpoint, discovered by Tenable and disclosed on March 27, 2026. - VulnCheck confirms active exploitation in the wild; the writing of test files via "../" sequences is documented.
- Langflow enables unauthenticated auto-login by default: a single request generates a valid session token, removing the need for credentials.
- A fix is available in version 1.9.0, released April 15, 2026; however, the attack surface remains broad with approximately 7,000 instances exposed according to Censys data.
Technical Breakdown: Path Traversal via File Upload
Langflow's POST /api/v2/files endpoint accepts multipart form data without sanitizing the filename parameter. According to the Tenable advisory cited in the NVD record, this allows the insertion of path traversal sequences ("../") to write files to arbitrary locations on the filesystem. This technique is a classic but effective bypass, as the server interprets the attacker-supplied name as a literal path, overstepping intended directories.
The core danger lies in the combination with unauthenticated auto-login. As Caitlin Condon, VP of security research at VulnCheck, reported via The Hacker News: "Because Langflow enables unauthenticated auto-login by default, no credentials are required to reach the vulnerable endpoint, and a single unauthenticated request is sufficient to obtain a valid session token before proceeding with exploitation." The resulting token grants access to the vulnerable endpoint, making the entire chain executable remotely without any credentials.
A statement from VulnCheck via SecurityWeek amplifies the risk: "The flaw can enable remote code execution (RCE), and because Langflow enables unauthenticated auto-login by default, attackers can reach the vulnerable endpoint without credentials." RCE occurs when the written file is placed in a directory that is executable or importable by the Langflow Python runtime, completing the system compromise.
Discovery and Disclosure Timeline
Tenable identified the vulnerability and attempted to contact Langflow maintainers three times between January and February 2026 without receiving a response. Public disclosure followed on March 27, 2026. Maintainers released version 1.9.0 with the fix on April 15, 2026, approximately three weeks later. VulnCheck subsequently observed active exploitation attempts across the network.
The timeline reveals a recurring pattern in the open-source AI tool ecosystem: platforms designed for rapid prototyping often receive delayed or insufficient security attention. CVE-2026-5027 is not an isolated case; SecurityWeek separately documented another Langflow vulnerability (CVE-2026-33017) exploited in March 2026. This context indicates the platform is a repeated target, though sources have not established infrastructural links between the attacks or attributed the operators to specific threat groups.
"The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../')" — Tenable advisory via NVD
The Perils of Insecure Defaults
Langflow is designed as a visual prototyping tool for LLM flows, emphasizing drag-and-drop components and immediate execution. This philosophy results in defaults optimized for developer convenience rather than production security. Unauthenticated auto-login is a prime example: it removes the authentication step to accelerate the initial setup but exposes the instance to anyone reachable via the network.
The NVD record classifies the vulnerability as CWE-22 (Path Traversal) and assigns the CVSS vector: 3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The PR:L (Privileges Required: Low) component appears to conflict with the unauthenticated exploitation documented by VulnCheck and SecurityWeek. This discrepancy remains unresolved in the dossier and may reflect a different NVD interpretation of the auto-login mechanism or the record's "enrichment pending" status.
Approximately 7,000 Langflow instances are exposed to the internet according to Censys data cited by The Hacker News. The geographic distribution is concentrated in North America. No source has quantified how many of these instances are currently vulnerable, how many have applied the patch, or how many have been successfully compromised.
Mitigation and Immediate Actions
Priority actions are derived directly from the documented facts:
- Verify the installed version: Langflow 1.9.0, released April 15, 2026, contains the fix. Previous versions are vulnerable.
- Disable unauthenticated auto-login: If the configuration allows token issuance without credentials, this setting must be modified to require explicit authentication.
- Identify exposed instances: Security teams must map any Langflow deployments accessible from the internet, including those launched for internal experimentation and subsequently exposed.
- Assert ownership of AI assets: LLM prototyping tools often bypass standard IT inventory. CVE-2026-5027 demonstrates that these assets require the same security rigor as production systems.
The Broader Risk: AI Infrastructure as an Attack Surface
The significance of CVE-2026-5027 extends beyond a single flaw. LLM orchestration platforms are migrating from isolated development environments to networked infrastructures with public exposure, often without the full awareness of security teams. Langflow's permissive defaults are not implementation errors but design choices intended to favor speed. When this speed meets network exposure, the result is a single-request, unauthenticated attack.
The repetition of Langflow vulnerabilities in 2026—CVE-2026-33017 in March and CVE-2026-5027 with confirmed exploitation in June—suggests that threat actors are systematically mapping this category of targets. Organizations treating AI tools as "internal experimentation only" risk discovering that the experiment has become shadow production with unmanaged exposure.
The gap is not technical but organizational: those deploying Langflow are not necessarily those managing security, and hardening timelines are failing to keep pace with deployment speeds. CVE-2026-5027 serves as a concrete demonstration of this misalignment.
Information has been verified against cited sources and is current as of the time of publication.
Sources
- https://vulert.com/blog/langflow-cve-2026-5027-rce-exploited/
- https://www.reconbee.com/unpatched-langflow-flaw-cve-2026-5027-exploited-for-unauthenticated-rce/
- https://blog.ibvl.in/index.php/2026/06/10/unpatched-langflow-flaw-cve-2026-5027-exploited-for-unauthenticated-rce/
- https://www.securityweek.com/hackers-exploit-langflow-vulnerability-for-remote-code-execution/amp/
- https://cybersecuritynews.com/oracle-peoplesoft-0-day-rce-vulnerability/amp/
- https://nvd.nist.gov/vuln/detail/CVE-2026-5027
- https://thehackernews.com/2026/06/unpatched-langflow-flaw-cve-2026-5027.html
- https://www.securityweek.com/greatxml-zero-day-exploit-bypasses-bitlocker/
- https://www.securityweek.com/critical-langflow-vulnerability-exploited-hours-after-public-disclosure/
- https://www.securityweek.com/splunk-palo-alto-networks-patch-severe-vulnerabilities/