"Because Langflow enables unauthenticated auto-login by default, no credentials are required to reach the vulnerable endpoint, and a single unauthenticated request is sufficient to obtain a valid session token before proceeding with exploitation," Caitlin Condon, vice president of security research at VulnCheck, wrote in a LinkedIn post.
CVE-2026-5027 and the POST /api/v2/files endpoint
Security researchers and vendors have identified CVE-2026-5027 — a high-severity path traversal flaw in Langflow — as allowing an attacker to write files to arbitrary locations on a host filesystem. Tenable, which discovered the bug, described the technical root cause succinctly: "The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../')." Tenable assigned the issue a CVSS score of 8.8.
Unauthenticated remote code execution, according to VulnCheck
VulnCheck reported active exploitation in the wild and characterized the weakness as enabling remote code execution. Caitlin Condon highlighted a critical operational detail: Langflow's default unauthenticated auto-login means an adversary can reach the vulnerable endpoint without credentials, obtain a valid session token from a single request, and proceed with exploitation. So far, publicly observed exploit attempts appear to have been used to write test files on victim systems rather than to deploy more complex payloads.
Disclosure timeline and maintainer notification
Tenable said it attempted to contact Langflow project maintainers three times during January and February 2026 before publicly disclosing details of the issue on March 27. The vendor’s disclosure followed their internal discovery and the repeated outreach to the project’s maintainers.
Scale of exposure: about 7,000 instances visible to Censys
Internet scan data reported by Censys shows roughly 7,000 Langflow instances publicly exposed on the internet, with a majority located in North America. That footprint — combined with an unauthenticated default and a file-write path traversal — creates many targets reachable without credentials.
Related Langflow exploit activity and state-linked weaponization
Researchers note this exploitation episode is the latest in a string of activity targeting Langflow this year. VulnCheck listed previous tracked vulnerabilities including CVE-2026-0770, CVE-2026-33017, CVE-2026-21445, and CVE-2025-34291. The latter, CVE-2025-34291, has been weaponized by the Iranian state-sponsored group known as MuddyWater. "The activity underscores a growing trend of attackers targeting the infrastructure and tooling that organizations use to build and deploy AI applications," VulnCheck said in a statement shared with The Hacker News.
What this means for technologists, open-source maintainers, and affected enterprises
- Technologists and security teams: will likely need to identify and inventory exposed Langflow instances (Censys reports ~7,000 internet-visible hosts) and monitor for signs of file writes or unauthorized sessions, given the unauthenticated auto-login behavior described by VulnCheck.
- Open-source maintainers: should take note of the disclosure timeline Tenable reported — three contact attempts in January–February before public disclosure on March 27 — and be prepared to respond to coordinated vulnerability reports and exploit telemetry.
- Affected enterprises and procurement leaders: must account for Langflow instances in their environments and recognize that tooling used to build and deploy AI applications is being actively targeted, per VulnCheck’s statement to The Hacker News.
The record in this reporting is straightforward: a high-severity path traversal (CVE-2026-5027, CVSS 8.8) in Langflow’s file upload endpoint, an unauthenticated default that lowers the bar for attackers, evidence of active exploitation writing test files, and a sizable internet-exposed population of instances. The combination — broad exposure, a simple traversal vector using "../", and an unauthenticated path to a valid session token — explains why researchers are treating the issue as urgent.
Original story: The Hacker News
