Description
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, by controlling a files that are digested into the RAG, an attacker can direct the node to read any file on the file-system by absolute path. All components based on BaseFileComponent are vulnerable to the vulnerability. This includes Docling (DoclingInlineComponent), Docling Serve, DoclingRemoteComponent), Read File (FileComponent), NVIDIA Retriever Extraction (NvidiaIngestComponent), Video File (VideoFileComponent), and Unstructured API (UnstructuredComponent). This vulnerability is fixed in 1.9.2.
Published: 2026-06-23
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to version 1.9.2, an attacker who can supply a file that is processed by Langflow’s Retrieval‑Augmented Generation (RAG) pipeline can make a BaseFileComponent node read any file on the host by specifying an absolute path. This flaw allows unauthorized disclosure of arbitrary files (CWE‑200) and path traversal (CWE‑61). The description does not specify how an attacker supplies such a file; it is inferred that the ability to control the file fed into the RAG pipeline—perhaps through workflow configuration or API calls—provides the necessary access to trigger the read. Reading sensitive configuration or credential files could enable further damage or remote code execution.

Affected Systems

The issue affects the Langflow platform from the vendor langflow‑ai for all releases prior to 1.9.2. Every component derived from BaseFileComponent is vulnerable, including DoclingInlineComponent, DoclingServe, DoclingRemoteComponent, FileComponent, NvidiaIngestComponent, VideoFileComponent, and UnstructuredComponent. Users running any of these components on older versions are at risk.

Risk and Exploitability

The CVSS score of 9.6 denotes critical severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, but the lack of a KEV mark does not reduce the risk. Attackers who can influence a file used in the RAG pipeline can direct a BaseFileComponent to read arbitrary files by providing an absolute path. The documentation does not describe whether the workflow must be created or edited via the web interface, API, or other channel, so the exact attack vector is not clear; however, in any environment where workflow files or RAG inputs are exposed, the vulnerability remains highly actionable. Once an attacker gains read access to sensitive data, further exploitation could lead to remote code execution.

Generated by OpenCVE AI on June 24, 2026 at 11:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Langflow to version 1.9.2 or later to receive the vendor‑issued fix for this critical flaw.
  • Limit access to workflow creation so that only trusted administrators can add or modify nodes based on BaseFileComponent.
  • If an immediate upgrade is not possible, disable or restrict the affected BaseFileComponent‑derived nodes, and ensure they cannot read paths outside a secure directory.

Generated by OpenCVE AI on June 24, 2026 at 11:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-ccv6-r384-xp75 Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit
History

Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Langflow
Langflow langflow
Vendors & Products Langflow
Langflow langflow

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, by controlling a files that are digested into the RAG, an attacker can direct the node to read any file on the file-system by absolute path. All components based on BaseFileComponent are vulnerable to the vulnerability. This includes Docling (DoclingInlineComponent), Docling Serve, DoclingRemoteComponent), Read File (FileComponent), NVIDIA Retriever Extraction (NvidiaIngestComponent), Video File (VideoFileComponent), and Unstructured API (UnstructuredComponent). This vulnerability is fixed in 1.9.2.
Title Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit
Weaknesses CWE-200
CWE-61
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}


Subscriptions

Langflow Langflow
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T15:47:39.931Z

Reserved: 2026-06-16T21:59:57.018Z

Link: CVE-2026-55447

cve-icon Vulnrichment

Updated: 2026-06-24T15:47:36.939Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:00:06Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-61

    UNIX Symbolic Link (Symlink) Following