CVE-2026-5027 – Langflow

CVSS 8.8 IMPORTANT High with EoP or RCE – Expedited Deployment

“A file upload feature becomes dangerous when attackers can choose where files land.”

Langflow patched CVE-2026-5027 in the POST /api/v2/files endpoint. The endpoint did not properly sanitize the filename parameter in multipart form data, allowing attackers to use path traversal sequences to write files to arbitrary locations on the filesystem. The CVSS score is 8.8, which is High severity.

This vulnerability can lead to unauthorized file writes and privilege-related abuse on affected systems. No verified exploitation, zero-day activity, or public proof-of-concept activity has been confirmed.

Key Details

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
CWE Classification
CWE-22
Patch this CVE on all your endpoints in under 5 minutes. First 200 endpoints are free forever, scale as needed.