CVE-2026-5027 – Langflow
CVSS 8.8
IMPORTANT
High with EoP or RCE – Expedited Deployment
“A file upload feature becomes dangerous when attackers can choose where files land.”
Langflow patched CVE-2026-5027 in the POST /api/v2/files endpoint. The endpoint did not properly sanitize the filename parameter in multipart form data, allowing attackers to use path traversal sequences to write files to arbitrary locations on the filesystem. The CVSS score is 8.8, which is High severity.
This vulnerability can lead to unauthorized file writes and privilege-related abuse on affected systems. No verified exploitation, zero-day activity, or public proof-of-concept activity has been confirmed.
Key Details
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- Low
- User Interaction
- None
- CWE Classification
- CWE-22
Patch this CVE on all your endpoints in under 5 minutes.
First 200 endpoints are free forever, scale as needed.