CVE-2026-5027

high

Description

The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../').

References

Exploits
More

https://www.securityweek.com/hackers-exploit-langflow-vulnerability-for-remote-code-execution/

https://www.bleepingcomputer.com/news/security/path-traversal-flaw-in-ai-dev-platform-langflow-exploited-in-attacks/

https://thehackernews.com/2026/06/unpatched-langflow-flaw-cve-2026-5027.html

https://www.tenable.com/security/research/tra-2026-26

Details

Source: Mitre, NVD

Published: 2026-03-27

Updated: 2026-03-30

Risk Information

CVSS v2

Base Score: 9

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.8

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H