Description
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.10.0, the "Shareable Playground" (or "Public Flows" in code) contains a potential arbitrary file-read vulnerability, depending on the exact flow configuration used. By making a flow public, public execution of the flow is allowed. The execution request can contain a list of files that gets read by Langflow and fed into the LLM. The files path can be any path supported by the storage - it can be either a local file or S3 path if supported by the local configuration This vulnerability is fixed in 1.10.0.
Published: 2026-06-23
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Langflow is a tool for building and deploying AI-powered agents and workflows. In versions before 1.10.0, its Shareable Playground feature allows a flow to be made public so that any execution request can specify files to be read and fed into the LLM. The file paths can point to any supported storage location, including local files or S3 objects, and are not strictly validated. This arbitrary file-read flaw enables an unauthenticated attacker who can trigger a public flow to extract arbitrary files, potentially exposing sensitive data. The weakness is classified as CWE-73, an arbitrary file read attack.

Affected Systems

All installations of the Langflow AI application with versions prior to 1.10.0 are affected. The vulnerability resides in the Shareable Playground (Public Flows) feature that permits users to configure flows to accept arbitrary file paths and to execute publicly without authentication, making the file read attack possible.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. No EPSS score is available, and the issue is not listed in CISA’s KEV catalog. Attackers can exploit the flaw without authentication by configuring a flow with a publicly accessible endpoint that accepts arbitrary file paths, thereby reading sensitive data.

Generated by OpenCVE AI on June 24, 2026 at 10:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Langflow to version 1.10.0 or later.
  • Disable the Shareable Playground feature or block public execution of flows if an upgrade is not immediately possible.
  • If public execution cannot be disabled, enforce strict input validation on file paths or restrict the file system locations that can be accessed by the platform.

Generated by OpenCVE AI on June 24, 2026 at 10:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rcjh-r59h-gq37 Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read
History

Wed, 24 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Langflow
Langflow langflow
Vendors & Products Langflow
Langflow langflow

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.10.0, the "Shareable Playground" (or "Public Flows" in code) contains a potential arbitrary file-read vulnerability, depending on the exact flow configuration used. By making a flow public, public execution of the flow is allowed. The execution request can contain a list of files that gets read by Langflow and fed into the LLM. The files path can be any path supported by the storage - it can be either a local file or S3 path if supported by the local configuration This vulnerability is fixed in 1.10.0.
Title Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N'}


Subscriptions

Langflow Langflow
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T14:19:11.074Z

Reserved: 2026-05-21T16:18:10.619Z

Link: CVE-2026-48520

cve-icon Vulnrichment

Updated: 2026-06-24T14:18:44.637Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:00:06Z

Weaknesses
  • CWE-73

    External Control of File Name or Path