Langflow Vulnerable to External Control of File Name or Path
Description
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, if an arbitrary path is specified in the request body's fs_path, the server serializes the Flow object into JSON and creates/overwrites a file at that path. There is no path restriction, normalization, or allowed directory enforcement, so absolute paths (e.g., /etc/poc.txt) are interpreted as is. Version 1.7.0 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Langflow prior to 1.7.0 allows authenticated users to write arbitrary files to any path by specifying an absolute path in the `fs_path` parameter.
Vulnerability
Overview Langflow versions prior to 1.7.0 contain an arbitrary file write vulnerability in the flow creation endpoint. The endpoint accepts a fs_path field in the request body without any path restriction, normalization, or allowed directory enforcement. As a result, an attacker can specify an absolute path (e.g., /etc/poc.txt) and the server will serialize the Flow object into JSON and create or overwrite a file at that exact location [1][2].
Attack
Vector The vulnerability is exploitable by any authenticated user with access to the API endpoint. The endpoint requires authentication (API key or JWT) but after authentication, there are no further controls on the file path. An attacker can craft a request with a malicious fs_path pointing to a sensitive system file [2].
Impact
Successful exploitation allows an attacker to write arbitrary JSON content to any writable location on the filesystem. Depending on the file chosen, this could lead to privilege escalation, code execution (e.g., overwriting a cron job or an application configuration), or denial of service [1]. The impact is limited by the fact that the written content is a JSON representation of a Flow object, but the attacker controls the flow structure.
Mitigation
The issue is fixed in Langflow version 1.7.0. Users should upgrade immediately. No workarounds are mentioned [1][2]. The project is available on GitHub [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
langflowPyPI | < 1.7.1 | 1.7.1 |
Affected products
21.1.2, 1.1.3, 1.1.4, …+ 1 more
- (no CPE)range: 1.1.2, 1.1.3, 1.1.4, …
- (no CPE)range: <1.7.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-f43r-cc68-gpx4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-68478ghsaADVISORY
- github.com/langflow-ai/langflow/security/advisories/GHSA-f43r-cc68-gpx4ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.