"Because Langflow enables unauthenticated auto-login by default, no credentials are required to reach the vulnerable endpoint, and a single unauthenticated request is sufficient to obtain a valid session token before proceeding with exploitation," VulnCheck security researcher Caitlin Condon wrote on LinkedIn.
CVE-2026-5027: a path traversal that writes arbitrary files
Security firm Tenable identified CVE-2026-5027 as a high-severity path traversal vulnerability in the AI development platform Langflow. "The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../')," Tenable explained. The flaw exists in Langflow's file upload functionality and stems from a failure to properly sanitize user-supplied filenames.
Active exploitation detected by honeypots and scanners
VulnCheck's Caitlin Condon reported that their honeypots have detected attackers exploiting CVE-2026-5027 to drop test files on vulnerable instances. The observation follows a pattern of recent activity: Condon said exploitation of this defect comes after similar activity that targeted earlier Langflow issues this year — CVE-2026-0770, CVE-2026-21445, and CVE-2026-33017. Condon also noted that VulnCheck continues to observe activity related to CVE-2025-3248, an issue CISA warned about last year, including activity linked to the Iranian threat group MuddyWater.
Scope: popularity on GitHub and publicly exposed instances
Langflow is an open-source visual platform used to build AI applications, agents, Retrieval-Augmented Generation systems, and MCP-based workflows with a drag-and-drop interface instead of traditional coding. The project has accumulated more than 149,000 stars and 9,200 forks on GitHub, reflecting broad interest and adoption among AI development teams.
Scanning data adds another dimension to the risk. Condon reported that Censys scans identified roughly 7,000 publicly exposed Langflow instances. She cautioned that Censys includes historical scan results from the previous 12 months and therefore the number may not reflect the current count of exposed systems, but the figure illustrates the potential scale of reachable targets when a default configuration permits unauthenticated access.
Patches, timelines, and maintainer response
Tenable discovered the flaw at the start of the year and said it publicly disclosed CVE-2026-5027 on March 27, 2026, after more than two months passed since the initial report to the Langflow team without a response. Snyk Security reported on March 30, 2026, that the issue was fixed in the langflow-base package version 0.8.3 and that the Langflow application itself received a patch in version 1.9.0. Users are now recommended to upgrade to the latest release, version 1.10.0, which was published earlier today.
What this means for AI development teams and security teams
- AI development teams: Projects that run Langflow instances — particularly those left internet-accessible with default settings — face a direct risk because the application can allow unauthenticated access. A single unauthenticated request can yield a valid session token, enabling file-write attacks without credentials.
- Security teams: The combination of a high-severity path traversal and exposed instances means monitoring and rapid patch management are priorities. VulnCheck's honeypot data showing active exploitation underscores that detection and containment play out in real time.
The technical facts in this episode are stark: a well-defined file upload weakness; default unauthenticated behavior that lowers the bar for attackers; evidence of active exploitation from honeypots; and a nontrivial footprint of publicly reachable instances. Langflow maintainers and downstream operators moved through a sequence of patch releases — langflow-base 0.8.3, Langflow 1.9.0, and now 1.10.0 — but the window between discovery and public disclosure, coupled with the persistence of exposed instances, left time for exploitation.
For teams running Langflow, the immediate action is unambiguous in the public record: upgrade to Langflow 1.10.0. For defenders and observers, the episode raises a practical question the facts do not yet answer: how many of the roughly 7,000 historically exposed instances remain reachable and vulnerable today despite the available patches?
