Unrated severityNVD Advisory· Published Mar 27, 2026· Updated Mar 27, 2026
Langflow - Path Traversal Arbitrary File Write via upload_user_file
CVE-2026-5027
Description
The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../').
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: 0
Patches
Vulnerability mechanics
References
1News mentions
5- ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and MoreThe Hacker News · Jun 15, 2026
- Critical Langflow Vulnerability Exploited to Execute Malicious CodeCyber Security News · Jun 11, 2026
- Hackers Exploit Langflow Vulnerability for Remote Code ExecutionSecurityWeek · Jun 11, 2026
- Path traversal flaw in AI dev platform Langflow exploited in attacksBleepingComputer · Jun 10, 2026
- Langflow Vulnerability CVE-2026-5027 Exploited for Unauthenticated RCEThe Hacker News · Jun 10, 2026