Langflow: Unauthenticated Shareable Playground arbitrary local or S3 file read
Description
The Langflow Shareable Playground feature allows unauthenticated attackers to read arbitrary local or S3 files by sending a crafted request to the public build endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Langflow Shareable Playground feature allows unauthenticated attackers to read arbitrary local or S3 files by sending a crafted request to the public build endpoint.
Vulnerability
Langflow's Shareable Playground feature (also called Public Flows) allows unauthenticated users to execute public workflows via the /api/v1/build_public_tmp endpoint [1]. The request can include a files field listing file paths that the backend reads in LCModelComponent._get_chat_result and feeds into the LLM [2]. The paths can refer to local files or S3 storage if configured, enabling arbitrary file read depending on the flow configuration. Affected versions include all Langflow installations where the Shareable Playground is enabled.
Exploitation
An attacker needs no authentication and only network access to the Langflow API. By making a flow public, the attacker can send a POST request to /api/v1/build_public_tmp with a valid public flow ID and a files array containing arbitrary file paths (e.g., ["/etc/passwd", "s3://bucket/secret.txt"]). The Langflow backend reads the specified files and includes their content in the LLM response, which is returned to the attacker.
Impact
Successful exploitation allows an unauthenticated attacker to read any file that the Langflow service process can access, including sensitive configuration files, credentials, and data stored in local files or S3 buckets. This constitutes a high-severity information disclosure vulnerability.
Mitigation
As of the publication date (2026-06-16), no official patch has been released. Users are advised to disable the Shareable Playground feature if not required, or to restrict network access to the /api/v1/build_public_tmp endpoint to trusted users only. Monitor the vendor advisory for updated versions [1].
AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: < 1.10.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the `files` parameter in the unauthenticated `/api/v1/build_public_tmp` endpoint allows arbitrary file paths to be read and fed into the LLM."
Attack vector
An unauthenticated attacker who obtains a public flow ID can send a crafted POST request to `/api/v1/build_public_tmp` with a `files` JSON array containing arbitrary file paths (local filesystem or S3 URIs). The Langflow backend reads each file and feeds its content into the LLM as an image, effectively exfiltrating the file contents through the LLM response. The attack requires the flow owner to have enabled the Shareable Playground feature, making the flow publicly executable [ref_id=1][ref_id=2].
Affected code
The vulnerability resides in the Shareable Playground (Public Flows) feature. The unauthenticated endpoint `/api/v1/build_public_tmp` accepts a `files` field in the request body. This field is processed through `LCModelComponent._get_chat_result` → `to_lc_message` → `get_file_content_dicts` → `create_image_content_dict` in `langflow/src/lfx/src/lfx/utils/image.py`, which reads the specified file paths without validation.
What the fix does
The advisory does not include a published patch diff. The recommended remediation is to restrict or validate the `files` parameter accepted by the `/api/v1/build_public_tmp` endpoint so that only allowed paths (e.g., within a designated upload directory) can be read, or to remove the ability for unauthenticated users to supply arbitrary file paths in public flow executions.
Preconditions
- configThe flow owner must have enabled the Shareable Playground (Public Flows) feature on a flow.
- inputThe attacker must know or discover a valid public flow ID.
- networkThe attacker must be able to reach the `/api/v1/build_public_tmp` endpoint over the network.
Reproduction
1. Create a new flow and add a Chat Input node to it. 2. Share the flow ("Shareable Playground"). 3. Access the public link with browser developer tools open and execute the flow. 4. Find the `/api/v1/build_public_tmp` route and copy as cURL. 5. Edit the `files` JSON field to point to any file.
Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.