Unpatched Langflow Vulnerability CVE-2026-5027 Exploited for Unauthenticated Remote Code Execution

Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE

A high-severity unpatched security flaw in Langflow, an open-source low-code platform to build artificial intelligence (AI) applications, has come under active exploitation in the wild, according to findings from VulnCheck. The vulnerability in question is CVE-2026-5027 (CVSS score: 8.8), a case of path traversal that could allow an attacker to write files to arbitrary locations. "The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../')," Tenable, which discovered the flaw, said in an alert released in late March 2026. The cybersecurity company said it attempted to contact the project maintainers three times in January and February 2026, before disclosing details of the issue on March 27. Caitlin Condon, vice president of security research at VulnCheck, said in a LinkedIn post that the vulnerability enables remote code execution. "Because Langflow enables unauthenticated auto-login by default, no credentials are required to reach the vulnerable endpoint, and a single unauthenticated request is sufficient to obtain a valid session token before proceeding with exploitation," Condon added. Exploitation efforts so far appear to weaponize the bug to write test files on victim systems. Data from Censys shows that there are about 7,000 Langflow instances publicly exposed on the internet, with a majority of them located in North America. The activity follows a flurry of exploitation activity targeting other Langflow vulnerabilities this year, including CVE-2026-0770, CVE-2026-33017, CVE-2026-21445, and CVE-2025-34291, the last of which has been weaponized by the Iranian state-sponsored group known as MuddyWater. "The activity underscores a growing trend of attackers targeting the infrastructure and tooling that organizations use to build and deploy AI applications," the company said in a statement shared with The Hacker News.

Path traversal flaw in AI dev platform Langflow exploited in attacks

Attackers are actively exploiting CVE-2026-5027, a high-severity path traversal vulnerability in the AI development platform Langflow, to write arbitrary files on exposed servers. Langflow is an open-source visual platform for building AI applications, AI agents, Retrieval-Augmented Generation (RAG) systems, and MCP-based workflows using a drag-and-drop interface instead of traditional coding. AI development teams widely use the project, and it has accumulated more than 149,000 stars and 9,200 forks on GitHub. CVE-2026-5027 is a high-severity path traversal flaw in Langflow's file upload functionality that fails to properly sanitize user-supplied filenames. "The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../')," explains Tenable, which discovered the flaw at the start of the year. Tenable publicly disclosed the issue on March 27, 2026, more than two months after initially reporting it to the Langflow team without receiving a response. Although Tenable did not mention a fix in its advisory, Snyk Security reported on March 30, 2026, that the issue was fixed in the langflow-base package version 0.8.3, while the Langflow application itself received a patch in version 1.9.0. According to VulnCheck security researcher Caitlin Condon, their honeypots have now detected attackers exploiting the vulnerability to drop test files on vulnerable instances. "Because Langflow enables unauthenticated auto-login by default, no credentials are required to reach the vulnerable endpoint, and a single unauthenticated request is sufficient to obtain a valid session token before proceeding with exploitation," reads the researcher's post on LinkedIn. Condon added that Censys scans identified roughly 7,000 publicly exposed Langflow instances. However, Censys data includes historical scan results from the previous 12 months and may not accurately reflect the number of systems currently exposed. Exploitation of CVE-2026-5027 comes shortly after similar activity targeting other Langflow vulnerabilities earlier this year, including CVE-2026-0770, CVE-2026-21445, and CVE-2026-33017. Last year, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) also warned about active exploitation of CVE-2025-3248, for which Condon says VulnCheck continues to observe activity, including activity linked to the Iranian threat group MuddyWater. Langflow users are recommended to upgrade to the latest release, version 1.10.0, published earlier today.