Langflow Path Traversal CVE-2026-5027 Actively Exploited; Default Auto-Login Hands Attackers Unauthenticated File Write
Attackers are actively exploiting CVE-2026-5027 in Langflow, writing arbitrary files to exposed servers. Default unauthenticated auto-login means a single request reaches the vulnerable endpoint with no credentials. Roughly 7,000 instances were exposed; patch in 1.10.0.
Attackers are actively exploiting CVE-2026-5027, a high-severity path traversal vulnerability in the AI development platform Langflow, to write arbitrary files to exposed servers. VulnCheck honeypots have detected attackers dropping test files on vulnerable instances — typically a precursor to broader weaponization.
Langflow is an open-source visual platform for building AI applications, agents, RAG systems, and MCP-based workflows through a drag-and-drop interface rather than traditional code. It is widely deployed across AI development teams and has accumulated over 149,000 stars on GitHub, making the exposed-instance population a meaningful target.
The flaw
CVE-2026-5027 is a path traversal weakness in Langflow's file upload functionality, which fails to sanitize user-supplied filenames. Per Tenable, the POST /api/v2/files endpoint does not sanitize the filename parameter from the multipart form data, letting an attacker write files to arbitrary filesystem locations using path traversal sequences (../). Tenable discovered the issue early in the year and disclosed it publicly on March 27, 2026 — more than two months after its initial report to the Langflow team went unanswered.
The exploitation path is what elevates the urgency. Langflow enables unauthenticated auto-login by default, so no credentials are needed to reach the vulnerable endpoint. A single unauthenticated request is enough to obtain a valid session token before exploitation proceeds. There is effectively no authentication barrier between an exposed instance and arbitrary file write.
Exposure and scope
Censys scans identified roughly 7,000 publicly exposed Langflow instances, though that figure draws on historical scan data from the previous 12 months and may overstate the count currently reachable. Even discounted, it is a substantial attack surface for an unauthenticated file-write primitive.
This is not Langflow's first turn under active exploitation. CVE-2026-5027 follows in-the-wild activity against CVE-2026-0770, CVE-2026-21445, and CVE-2026-33017 earlier this year. CISA previously flagged active exploitation of CVE-2025-3248, against which VulnCheck continues to observe activity — including operations linked to the Iranian threat group MuddyWater. Langflow has become a recurring target, and any internet-facing instance should be treated as a standing liability, not a one-time patch.
Patching
The flaw was fixed in the langflow-base package version 0.8.3, with the Langflow application patched in version 1.9.0. Langflow published version 1.10.0 earlier today; users should upgrade to the latest release.
Action Items
- Upgrade Langflow to 1.10.0 immediately, and confirm
langflow-baseis at 0.8.3 or later. - Remove Langflow from internet exposure. If remote access is required, place it behind a VPN or authenticated reverse proxy.
- Disable unauthenticated auto-login — the default configuration is the core of this exploit chain.
- Hunt for unexpected files written outside Langflow's normal directories, and review the
POST /api/v2/filesendpoint in logs for../traversal sequences. - Treat any internet-exposed, pre-1.9.0 instance as potentially compromised given confirmed in-the-wild activity.
