Description
Langflow is a tool for building and deploying AI-powered agents and workflows. Versions 1.2.0 through 1.8.1 have a bypass of the patch for CVE-2025-68478 (External Control of File Name), leading to the root architectural issue within `LocalStorageService` remaining unresolved. Because the underlying storage layer lacks boundary containment checks, the system relies entirely on the HTTP-layer `ValidatedFileName` dependency. This defense-in-depth failure leaves the `POST /api/v2/files/` endpoint vulnerable to Arbitrary File Write. The multipart upload filename bypasses the path-parameter guard, allowing authenticated attackers to write files anywhere on the host system, leading to Remote Code Execution (RCE). Version 1.9.0 contains an updated fix.
Published: 2026-03-24
Score: 10 Critical
EPSS: 1.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an arbitrary file write flaw in the POST /api/v2/files/ endpoint. Because the underlying storage layer lacks boundary containment checks, an authenticated attacker can supply a multipart file upload with a crafted filename that bypasses the HTTP-layer validation. This allows the attacker to write files to any location on the host system. Writing malicious executable scripts or reverse shells grants the attacker full control over the server, compromising confidentiality, integrity, and availability.

Affected Systems

The affected vendor is langflow-ai and its Langflow product. Versions 1.2.0 through 1.8.1 are vulnerable. The issue was fixed in version 1.9.0, which adds proper boundary checks for file names and removes the vulnerable functionality.

Risk and Exploitability

The CVSS score of 10 indicates a critical flaw that could allow an attacker with authenticated API access to write files to arbitrary paths on the host. The EPSS score of 1% suggests that the probability of public exploitation is currently low, but the potential impact is severe. The vulnerability is not listed in the CISA KEV catalog, indicating that it has not yet been observed in known exploited incidents. Based on the description, it is inferred that the attacker must have an authenticated session to use the /api/v2/files/ endpoint, so the attack is likely limited to compromised user accounts or internal insiders. Once a file is written, installing executable scripts such as reverse shells would give the attacker full control over the system. The bypass of the earlier patch for CVE-2025-68478 suggests that the architectural issue in LocalStorageService is still unresolved, pointing to a design flaw that could complicate future remediation.

Generated by OpenCVE AI on June 18, 2026 at 09:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Langflow to version 1.9.0 or newer, which implements proper boundary checks for filenames, directly fixing the CWE-22 (Path Traversal) and CWE-73 (Improper Restriction of Operations within Directory) vulnerability.
  • Restrict the POST /api/v2/files/ endpoint to privileged administrative roles only, mitigating the CWE-284 (Improper Access Control) flaw and reducing the attack surface for file uploads.
  • Implement server‑side filename validation that normalises and sanitises paths before storage, preventing traversal and ensuring writes are confined to designated directories, addressing CWE-22 and CWE-73.
  • Verify that any code or scripts generated by the application are not executed automatically or reviewed before deployment, mitigating CWE-94 (Improper Control of Generation of Code).

Generated by OpenCVE AI on June 18, 2026 at 09:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g2j9-7rj2-gm6c Langflow has an Arbitrary File Write (RCE) via v2 API
History

Tue, 24 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Langflow
Langflow langflow
CPEs cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*
Vendors & Products Langflow
Langflow langflow

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 13:00:00 +0000

Type Values Removed Values Added
Description Langflow is a tool for building and deploying AI-powered agents and workflows. Versions 1.2.0 through 1.8.1 have a bypass of the patch for CVE-2025-68478 (External Control of File Name), leading to the root architectural issue within `LocalStorageService` remaining unresolved. Because the underlying storage layer lacks boundary containment checks, the system relies entirely on the HTTP-layer `ValidatedFileName` dependency. This defense-in-depth failure leaves the `POST /api/v2/files/` endpoint vulnerable to Arbitrary File Write. The multipart upload filename bypasses the path-parameter guard, allowing authenticated attackers to write files anywhere on the host system, leading to Remote Code Execution (RCE). Version 1.9.0 contains an updated fix.
Title Langflow has an Arbitrary File Write (RCE) via v2 API
Weaknesses CWE-22
CWE-284
CWE-73
CWE-94
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Langflow Langflow
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T03:55:47.098Z

Reserved: 2026-03-18T21:23:36.675Z

Link: CVE-2026-33309

cve-icon Vulnrichment

Updated: 2026-03-24T17:47:08.500Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T13:16:02.983

Modified: 2026-06-17T10:37:17.890

Link: CVE-2026-33309

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T10:00:16Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-284

    Improper Access Control

  • CWE-73

    External Control of File Name or Path

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')