Medium severity6.5NVD Advisory· Published Apr 30, 2026· Updated May 11, 2026

CVE-2026-4502

Description

IBM Langflow Desktop 1.2.0 through 1.8.4 Langflow could allow an authenticated attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to write arbitrary files on the system.

Affected products

Pachno/Langflowinferred
Range: >=1.2.0,<1.8.5
Package: https://pypi.org/project/langflow
Langflow/Langflow Desktop
cpe:2.3:a:langflow:langflow_desktop:*:*:*:*:*:*:*:*
Range: >=1.2.0,<=1.8.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.ibm.com/support/pages/node/7271097nvdVendor Advisory

News mentions

ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories
The Hacker News · May 14, 2026
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
The Hacker News · May 11, 2026
Metasploit Wrap-Up 04/25/2026
Rapid7 Blog · Apr 24, 2026
23rd March – Threat Intelligence Report
Check Point Research · Mar 23, 2026

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000