Enterprises using the open-source AI orchestration platform Langflow are being urged to patch a high-severity path traversal flaw amid active exploitation, despite a fix having been available for more than two months.
The bug, which stems from improper handling of filenames in Langflow’s file upload functionality, can allow attackers to write files to arbitrary locations within the affected system and, under certain conditions, can be used to achieve remote code execution (RCE) on affected servers.
An added complexity is that Langflow is shipping with an auto-login behavior, allowing unauthenticated users with a valid session to reach the vulnerable endpoint without credentials.
“Langflow is a popular open-source tool for building AI applications,” said Jim Sherlock, VP of cybersecurity R&D at ProCircular. “Because the platform ships with login disabled by default, exploitation takes a single request with no credentials, resulting in full takeover of the machine.”
Cloud security non-profit, Cloud Security Alliance (CSA), said approximately 7,000 Langflow instances are exposed to the internet.
Path traversal issue allowing full system takeover
Langflow is a popular low-code platform for building AI agents, RAG pipelines, and MCP-based workflows through a drag-and-drop interface. That popularity is adding to the concerns over CVE-2026-5027, a path traversal vulnerability assigned an 8.8 CVSS rating.
According to the CVE record, the vulnerability affects the POST /api/v2/files endpoint. The endpoint fails to properly validate the “filename” parameter supplied through the “multipart form data,” allowing attackers to include path traversal sequences such as “../” and write files outside the intended upload directory, onto an attacker-controlled location.
>Using a GitHub POC exploit, EQST Lab demonstrated how the flaw can be exploited to place attacker-controlled files in arbitrary filesystem locations. They said that in environments where auto-login is enabled, the arbitrary file write can be escalated into remote code execution.
“Arbitrary file write vulnerabilities are often more severe than standard unrestricted upload issues because the attacker controls not only the file contents, but also the destination path,” EQST researchers said in the POC note. “Depending on the runtime privileges of the Langflow process, this may enable overwrite of application files, modification of startup or scheduled task files, persistence through shell initialization or key files, and escalation from arbitrary file write to remote code execution.”
The vulnerability affects Langflow versions up to 1.8.4, while researchers have indicated that the issue was addressed in version 1.9.0, released April 15, coming 73 days after the flaw was first disclosed to the vendor. The patch logic has been applied to all subsequent releases, including the current version 1.10.0.
Langflow did not immediately respond to CSO’s request for comments.
AI orchestration platforms continue to attract attackers
The disclosure arrives amid growing attacker interest in AI infrastructure. VulnCheck confirmed that CVE-2026-5027 is already being exploited, with observed activity including attempts to drop files onto vulnerable systems. Public exploit code has further lowered the barrier for opportunistic attackers.
Exploitation of CVE-2026-5027 has been linked to the Iranian state-sponsored group known as MuddyWater.
Sherlock said many organizations have unknowingly expanded their attack surface through rapidly deployed AI tooling. “Through 2025, teams everywhere stood up Langflow, Flowise, n8n, Dify, and similar low-code tools to prototype agents and LLM workflows,” he added. “These deployments rarely got the hardening a production web app would. They run with default authentication settings and sit on public IPs because someone needed to demo a flow to a stakeholder, and nobody owns patching them.”
Earlier this year, threat actors exploited another critical Langflow RCE shortly after its disclosure. More recently, researchers uncovered a severe bug affecting Flowise’s Model Context Protocol (MCP) implementation that allowed RCE through crafted configurations.
No Responses