Path traversal flaw in AI dev platform Langflow exploited in attacks

1. Executive summary

Threat actors are actively exploiting CVE-2026-5027, a high-severity (CVSS 8.8) path traversal vulnerability in the AI development platform Langflow, to write arbitrary files to exposed servers. The flaw exists in the POST /api/v2/files endpoint, which fails to sanitize user-supplied filenames, allowing unauthenticated attackers to traverse directories using ../ sequences. With Langflow enabling unauthenticated auto-login by default, no credentials are required to exploit this vector. While currently not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, active exploitation has been confirmed by honeypot data, posing an immediate risk to EMEA financial institutions deploying Langflow for RAG systems or AI agent development without network isolation.

2. Regulatory framing

Article	Trigger (the fact in this item)	Practical impact
DORA Art. 17	Active exploitation of a critical ICT asset (Langflow) requiring immediate containment.	Financial entities must activate their ICT-related incident management process to contain the arbitrary file write capability.
DORA Art. 18	Exploitation of CVE-2026-5027 (CVSS 8.8) affecting confidentiality and integrity via file system access.	Entities must classify this incident based on the severity of the exposed AI platform and the potential for data exfiltration or code execution.
DORA Art. 19	If the exploitation leads to a major ICT-related incident (e.g., compromise of sensitive AI models or PII).	Reporting obligations to competent authorities are triggered if the incident meets the "major" threshold defined under Art. 19.
DORA Art. 24	Vulnerability in an open-source component used in production AI workflows.	Highlights the need for digital operational resilience testing to include custom or niche AI development platforms in scope.
DORA Art. 28	Use of Langflow (ICT third-party provider/open source) in critical functions.	Entities must review general principles regarding ICT third-party risk, specifically regarding unpatched open-source dependencies.
NIS2 Art. 21(2)(d)	Supply chain risk introduced by the unpatched Langflow instance.	Operators of essential services must ensure supply chain security measures cover the validation and patching of AI development tools.
NIS2 Art. 23	Confirmed active exploitation in the wild.	Incident reporting obligations are engaged if the security incident has a significant impact on service continuity or data integrity.
UK NIS 2018	Exposure of OES/RDSP systems running Langflow to arbitrary file writes.	OES and RDSPs must adhere to duties regarding the security of network and information systems, including timely patching.

3. Technical analysis & attack chain

Attack Chain

Reconnaissance: Attacker identifies a publicly exposed Langflow instance (Censys data suggests ~7,000 historically exposed instances).
Session Acquisition: Leveraging the default configuration of "unauthenticated auto-login," the attacker sends a request to obtain a valid session token without credentials.
Exploitation: The attacker sends a crafted POST request to the /api/v2/files endpoint.
Vulnerability Trigger: The request includes a multipart form data field filename containing path traversal sequences (e.g., ../../malicious.py).
Impact: The application fails to sanitize the input, writing the attacker-supplied file to an arbitrary location on the host filesystem.

Technical Specifics

Vulnerable Component: Langflow (open-source visual platform for AI/RAG).
Vulnerable Endpoint: POST /api/v2/files.
Vulnerability Mechanism: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The filename parameter in the multipart form data is not sanitized, allowing the use of ../ to escape the intended upload directory.
Authentication Context: Exploitation requires no credentials due to unauthenticated auto-login being enabled by default in affected configurations.
Observed Impact: VulnCheck honeypots have detected attackers dropping "test files" on vulnerable instances. While current observations are limited to file writes, this primitive typically enables webshell deployment, configuration file overwrites, or library injection for remote code execution (RCE).
Patch Status: Fixed in langflow-base package version 0.8.3 and Langflow application version 1.9.0. Users are advised to upgrade to version 1.10.0.

Attribution Note

While past Langflow vulnerabilities (e.g., CVE-2025-3248) have been linked to the Iranian threat group MuddyWater, there is no confirmed attribution in the verified reference data or source material linking MuddyWater or any other specific actor to the exploitation of CVE-2026-5027 at this time. Attribution remains unconfirmed.

4. Mitigation & containment

P1: Immediate Containment (Within 24 Hours)

Network Isolation: Immediately restrict inbound access to Langflow instances (default port 7860 or configured port) to trusted IP ranges only. Do not expose Langflow to the public internet.
Disable Auto-Login: If patching is not immediately feasible, modify the configuration to disable "unauthenticated auto-login" to force credential verification, though this may not fully mitigate the path traversal if the endpoint remains accessible to authenticated low-privilege users.
File System Monitoring: Deploy EDR or FIM rules to alert on file creation events in sensitive directories originating from the Langflow process user, specifically looking for extensions like .py, .sh, .jsp, or .aspx.

P2: Remediation (Within 72 Hours)

Patch Application: Upgrade Langflow to version 1.10.0 or later.
- If using the base package, ensure langflow-base is at least version 0.8.3.
- Command (pip): pip install --upgrade langflow==1.10.0
- Command (docker): Pull the latest image tag langflowai/langflow:latest or specifically 1.10.0.
Verification: Verify the version via the UI or API (GET /api/v1/version) to confirm the patch level.

P3: Long-term Hardening (Within 7 Days)

Architecture Review: Ensure Langflow instances are deployed behind a WAF or API Gateway that enforces strict input validation on multipart form data.
Supply Chain Audit: Inventory all AI development platforms and RAG systems within the environment to identify other instances of Langflow or similar unpatched open-source tools.

5. Indicators of compromise

No specific file hashes, domains, or IP addresses associated with this specific campaign were provided in the source material. The primary indicator is the network request pattern described below.

http_request  POST /api/v2/files (with malformed filename parameter containing '../')

6. Detection

YARA Rule (File System/Process Memory)

This rule targets the specific API endpoint and parameter structure associated with the exploitation attempt if logged in memory or captured in a web shell scan.

rule Langflow_CVE_2026_5027_Exploit_Attempt {
    meta:
        author = "Adverse Trace"
        date = "2026-06-11"
        reference = "https://www.bleepingcomputer.com/news/security/path-traversal-flaw-in-ai-dev-platform-langflow-exploited-in-attacks/"
        description = "Detects HTTP requests attempting to exploit CVE-2026-5027 via path traversal in the filename parameter."
    strings:
        $endpoint = "POST /api/v2/files" nocase
        $param = "filename" nocase
        $traversal = "../"
        $multipart = "multipart/form-data" nocase
    condition:
        all of ($strings)
}

Sigma Rule (Web Server Logs)

Detects the specific URI and potential path traversal sequences in the POST body or filename field within web server logs.

title: Langflow CVE-2026-5027 Path Traversal Attempt
id: 9a1b2c3d-4e5f-6g7h-8i9j-0k1l2m3n4o5p
status: experimental
description: Detects exploitation attempts against Langflow CVE-2026-5027 targeting the /api/v2/files endpoint with path traversal characters.
author: Adverse Trace
date: 2026/06/11
references:

    - https://www.bleepingcomputer.com/news/security/path-traversal-flaw-in-ai-dev-platform-langflow-exploited-in-attacks/
logsource:
    category: webserver
    service: apache
    product: nginx
detection:
    selection:
        c-uri|contains: '/api/v2/files'
        c-method: 'POST'
    filter_traversal:
        c-uri|contains: '../'
        # Note: Filename parameter often appears in POST body which may require specific field mapping depending on the parser
        # If the parser captures multipart fields, look for 'filename' containing '../'
    condition: selection and filter_traversal
falsepositives:

    - Legitimate administrative testing
level: high
tags:

    - attack.initial_access
    - attack.t1190
    - cve.2026.5027

CVE assessment

1 referenced CVE

CVE	CVSS	Exploited	EPSS	Summary
CVE-2026-5027	8.8 High	—	0%	The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker…

7. Sources

BleepingComputer, "Path traversal flaw in AI dev platform Langflow exploited in attacks", https://www.bleepingcomputer.com/news/security/path-traversal-flaw-in-ai-dev-platform-langflow-exploited-in-attacks/, 2026-06-10.
Tenable, "CVE-2026-5027 Advisory" (Referenced via BleepingComputer), Public Disclosure 2026-03-27.
Snyk Security, "Langflow Patch Report" (Referenced via BleepingComputer), 2026-03-30.
VulnCheck (Caitlin Condon), "Honeypot Detection Data" (Referenced via BleepingComputer/LinkedIn), 2026-06-10.

8. Adverse Trace position

Adverse Trace assesses the severity of CVE-2026-5027 as HIGH (CVSS 8.8) with confirmed active exploitation in the wild, despite its current absence from the CISA KEV catalog. The combination of a trivial exploitation path (unauthenticated) and the widespread deployment of Langflow in experimental AI pipelines creates a significant risk of arbitrary file write and subsequent remote code execution for EMEA financial services. We recommend immediate network isolation of all Langflow instances and urgent patching to version 1.10.0. We will continue to monitor for the emergence of specific malware payloads dropped via this vector and update this advisory if attribution becomes confirmed.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.