Impact
Prior to version 1.9.2, an attacker who can supply a file that is processed by Langflow’s Retrieval‑Augmented Generation (RAG) pipeline can make a BaseFileComponent node read any file on the host by specifying an absolute path. This flaw allows unauthorized disclosure of arbitrary files (CWE‑200) and path traversal (CWE‑61). The description does not specify how an attacker supplies such a file; it is inferred that the ability to control the file fed into the RAG pipeline—perhaps through workflow configuration or API calls—provides the necessary access to trigger the read. Reading sensitive configuration or credential files could enable further damage or remote code execution.
Affected Systems
The issue affects the Langflow platform from the vendor langflow‑ai for all releases prior to 1.9.2. Every component derived from BaseFileComponent is vulnerable, including DoclingInlineComponent, DoclingServe, DoclingRemoteComponent, FileComponent, NvidiaIngestComponent, VideoFileComponent, and UnstructuredComponent. Users running any of these components on older versions are at risk.
Risk and Exploitability
The CVSS score of 9.6 denotes critical severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, but the lack of a KEV mark does not reduce the risk. Attackers who can influence a file used in the RAG pipeline can direct a BaseFileComponent to read arbitrary files by providing an absolute path. The documentation does not describe whether the workflow must be created or edited via the web interface, API, or other channel, so the exact attack vector is not clear; however, in any environment where workflow files or RAG inputs are exposed, the vulnerability remains highly actionable. Once an attacker gains read access to sensitive data, further exploitation could lead to remote code execution.
OpenCVE Enrichment
Github GHSA