Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE
A critical path traversal vulnerability in the open-source Langflow AI application platform, CVE-2026-5027, is being actively exploited, allowing unauthenticated attackers to write files to arbitrary locations and potentially achieve remote code execution.
A critical security flaw in the open-source Langflow platform, used for building AI applications, is currently being exploited in the wild. The vulnerability, identified as CVE-2026-5027, carries a CVSS score of 8.8 and allows attackers to perform path traversal, enabling them to write files to arbitrary locations on the server.
The vulnerability resides in the '/api/v2/files' endpoint, which fails to properly sanitize the 'filename' parameter within multipart form data. This oversight permits attackers to use directory traversal sequences, such as '../', to write files to unintended locations on the filesystem. The discovery was made by Tenable, who reported attempting to contact the Langflow project maintainers multiple times in early 2026 before disclosing the vulnerability details in March.
According to VulnCheck's security research vice president, Caitlin Condon, the flaw can be leveraged for remote code execution. A significant factor exacerbating the risk is Langflow's default configuration, which enables unauthenticated auto-login. This means attackers do not need any credentials to access the vulnerable endpoint. A single unauthenticated request is sufficient to obtain a valid session token, paving the way for exploitation.
Initial exploitation efforts observed by researchers have focused on weaponizing the bug to write test files onto victim systems. Data from Censys indicates that approximately 7,000 Langflow instances are exposed to the internet, with a substantial portion located in North America. This widespread exposure increases the potential attack surface.
The exploitation of CVE-2026-5027 follows a series of other security incidents targeting Langflow this year. Previously identified vulnerabilities, including CVE-2026-0770, CVE-2026-33017, CVE-2026-21445, and CVE-2025-34291, have also been a concern. Notably, CVE-2025-34291 was previously weaponized by the Iranian state-sponsored threat group MuddyWater.
This ongoing trend of exploitation highlights a growing concern within the cybersecurity community: attackers are increasingly targeting the infrastructure and tools that organizations rely on for developing and deploying AI applications. As AI adoption accelerates, the security of these foundational platforms becomes paramount.
As of the latest reports, the CVE-2026-5027 vulnerability remains unpatched, posing a significant and immediate risk to all users of the Langflow platform. Organizations utilizing Langflow are strongly advised to monitor for any signs of compromise and to apply patches as soon as they become available. The lack of a patch means that publicly exposed instances are particularly vulnerable to attack.