Description
The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../').
Published: 2026-03-27
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: Remote File Write
Action: Immediate Patch
AI Analysis

Impact

A path traversal flaw in the file upload endpoint allows an attacker to write files to any location on the host filesystem. The flaw enables creation or modification of system files, potentially allowing malicious code injection or alteration of configuration files. This violates the integrity principle and could be used to execute arbitrary code, leading to full system compromise.

Affected Systems

The vulnerability affects the Langflow product by langflow‑ai. Any deployment exposing the POST /api/v2/files endpoint without proper filename sanitization is susceptible. No specific version numbers were supplied, so the impact may apply to all currently supported releases.

Risk and Exploitability

The CVSS score of 8.8 classifies the issue as high severity. EPSS data is unavailable, but the absence from the KEV catalog does not preclude exploitation. The likely attack path involves sending a crafted multipart/form-data request to the upload endpoint; while authentication requirements are not explicitly stated, the lack of sanitization suggests that an attacker could leverage the flaw even with limited privileges. Exfiltration or planting of malicious files could lead to system compromise.

Generated by OpenCVE AI on March 27, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and apply any vendor‑provided patch or update for Langflow.
  • If a patch is not immediately available, configure the application to reject filenames containing traversal sequences such as "../".
  • Restrict the upload endpoint to write only within a dedicated, non‑critical directory and enforce strict permissions.
  • Implement server‑side logging to detect unauthorized file write attempts and alert administrators.
  • Consider disabling the file upload feature if it is not essential to the deployment.

Generated by OpenCVE AI on March 27, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../').
Title Langflow - Path Traversal Arbitrary File Write via upload_user_file
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: tenable

Published:

Updated: 2026-03-27T15:11:42.918Z

Reserved: 2026-03-27T14:51:30.515Z

Link: CVE-2026-5027

cve-icon Vulnrichment

Updated: 2026-03-27T15:11:27.738Z

cve-icon NVD

Status : Received

Published: 2026-03-27T15:17:04.743

Modified: 2026-03-27T15:17:04.743

Link: CVE-2026-5027

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:28:19Z

Weaknesses