A critical path traversal vulnerability in Langflow, tracked as CVE-2026-5027 with a CVSS v3 score of 8.8, is being actively exploited in the wild, researchers have confirmed. Attackers are leveraging the flaw — which exists in the application’s file upload endpoint — to write arbitrary files to the server filesystem and achieve remote code execution (RCE). With no official vendor patch currently available, organizations running exposed Langflow instances are at immediate risk.
What Is the Vulnerability?
The vulnerability resides in the POST /api/v2/files endpoint of Langflow, an open-source tool widely used to build and deploy AI-driven workflows. The filename parameter extracted from multipart form data submitted to this endpoint is not properly sanitized before being used in filesystem operations. An attacker can inject path traversal sequences such as ../ within the filename to redirect file writes outside the intended upload directory.
In practice, this allows a remote attacker with minimal privileges to overwrite sensitive files on the server — including web application files, configuration files, or scheduled scripts — and potentially insert malicious code. Since no user interaction is required and the attack vector is network-accessible, the exploitation barrier is extremely low.
Active Exploitation Confirmed
The vulnerability was discovered and responsibly disclosed by researcher Joshua Martinelle. Initial disclosure attempts began on January 20, 2026, with follow-up communications on January 27 and February 4. Despite multiple attempts, the Langflow vendor did not respond within the expected timeframe. A final notice was issued on March 23, 2026, and the advisory was publicly released on March 27, 2026 via Tenable’s security research team (TRA-2026-26).
Since public disclosure, threat intelligence teams and exploit tracking services have confirmed that attackers are actively scanning for and exploiting exposed Langflow instances. VulnCheck-linked threat intelligence indicates that exploitation for remote code execution is already occurring against internet-facing deployments. The combination of a public advisory, low exploitation complexity, and no official patch makes this a high-urgency situation for defenders.
Why This Matters for AI Security
Langflow is used extensively in enterprise and research environments to orchestrate AI agent workflows, integrate large language models with external tools, and build production AI pipelines. Many organizations expose Langflow interfaces to internal networks or, in some cases, directly to the internet. A successful exploitation of CVE-2026-5027 could allow attackers to:
- Execute arbitrary code on the Langflow server with the permissions of the application process
- Gain initial access to internal AI infrastructure and model deployment environments
- Pivot laterally to connected systems and data stores
- Exfiltrate sensitive data processed by AI workflows, including credentials, API keys, or proprietary model configurations
- Chain the vulnerability with privilege escalation flaws to achieve deeper system compromise
This disclosure also highlights a growing concern in the AI tooling ecosystem: rapidly adopted open-source frameworks often lack mature security disclosure and patching processes, creating dangerous windows of exposure.
Mitigation Steps
Since no official patch has been released, organizations must apply defensive measures immediately:
- Restrict network access to the Langflow interface — do not expose it to the public internet
- Implement Web Application Firewall (WAF) rules to detect and block requests containing path traversal sequences in file upload parameters
- Audit logs for POST requests to
/api/v2/fileswith suspicious filenames containing../,%2F, or encoded variants - Monitor the filesystem for unexpected file writes outside the designated upload directory
- Apply least-privilege principles to the Langflow process account to limit the impact of a successful exploit
- Follow Tenable advisory TRA-2026-26 and the official Langflow repository for patch announcements
Security teams should treat any internet-accessible Langflow instance as compromised until mitigations are confirmed. Given the active exploitation timeline, threat hunting in existing deployments is strongly advised.