Attackers are exploiting CVE-2026-5027, a path traversal bug in the popular open-source AI builder Langflow, to write arbitrary files on exposed servers. Because Langflow ships with unauthenticated auto-login enabled by default, a single request is enough to reach the vulnerable endpoint. Roughly 7,000 instances have been seen publicly exposed.
A path traversal vulnerability in Langflow, one of the most widely used open-source platforms for building AI applications, is now under active exploitation. Tracked as CVE-2026-5027, the high-severity flaw lets attackers write arbitrary files to exposed servers, and the conditions for abuse are about as low-friction as they get.
Langflow is a visual, drag-and-drop platform for building AI agents, Retrieval-Augmented Generation (RAG) pipelines, and MCP-based workflows without writing traditional code. The project has racked up more than 149,000 stars and 9,200 forks on GitHub, which gives you a sense of how deeply it's embedded in AI development teams. That popularity is exactly why a file-write primitive in its upload handler matters so much.
What the flaw actually does
The vulnerability lives in Langflow's file upload functionality, specifically the POST /api/v2/files endpoint. The handler accepts a filename parameter from multipart form data but never sanitizes it. That means an attacker can embed path traversal sequences (../) in the filename and direct the upload to write outside the intended directory, landing files anywhere the Langflow process has permission to write.
"The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../')," explained Tenable, which discovered the bug at the start of the year.
Arbitrary file write is one of those primitives that rarely stays contained. Depending on where the process can write, it opens paths to overwriting configuration, planting startup scripts, or dropping a web-accessible payload that leads to code execution. It's the kind of bug that turns a single exposed dashboard into a foothold.
The auto-login problem makes it worse
The detail that elevates this from serious to urgent is how Langflow handles authentication out of the box. By default, the platform enables unauthenticated auto-login, so reaching the vulnerable endpoint requires no credentials at all.
"Because Langflow enables unauthenticated auto-login by default, no credentials are required to reach the vulnerable endpoint, and a single unauthenticated request is sufficient to obtain a valid session token before proceeding with exploitation," wrote VulnCheck security researcher Caitlin Condon in a post on LinkedIn.
Condon reported that VulnCheck honeypots have already caught attackers dropping test files on vulnerable instances, the classic reconnaissance step before more serious payloads follow. Censys scans turned up roughly 7,000 publicly exposed Langflow instances, though that figure folds in historical scan data from the previous 12 months and likely overstates what's exposed right now. Even discounted heavily, it points to a meaningful population of reachable targets.
A rocky disclosure timeline
The path from discovery to patch was not smooth. Tenable reported the issue to the Langflow team and, after more than two months without a response, publicly disclosed it on March 27, 2026. Tenable's advisory did not point to a fix.
Snyk filled in that gap on March 30, 2026, reporting that the underlying issue was resolved in the langflow-base package version 0.8.3, with the Langflow application itself patched in version 1.9.0. If you're running anything older than those releases, treat your instance as vulnerable.
This is also not Langflow's first brush with active exploitation. The current activity follows attacks earlier this year against CVE-2026-0770, CVE-2026-21445, and CVE-2026-33017. Going back further, CISA warned last year about exploitation of CVE-2025-3248, and Condon notes VulnCheck still sees activity tied to that flaw, including operations linked to the Iranian threat group MuddyWater. A pattern like this suggests Langflow has become a recurring target rather than a one-off.
What to do now
The direct fix is to upgrade. Langflow published version 1.10.0 earlier today, and users should move to it rather than chasing the minimum patched release. Practical steps to take alongside the upgrade:
- Disable unauthenticated auto-login. If your deployment exposes Langflow beyond a trusted network, the default auto-login setting is doing attackers a favor. Require real authentication.
- Get instances off the public internet. A platform meant for internal AI development rarely needs to be directly reachable. Put it behind a VPN, reverse proxy with auth, or network controls.
- Hunt for indicators. Since attackers are already dropping test files, review your filesystem for unexpected writes outside Langflow's normal data directories and audit the application logs for suspicious
/api/v2/filesrequests. - Constrain process permissions. Running Langflow with the least filesystem privilege it needs limits where an arbitrary write can land.
The broader lesson here goes beyond one CVE. AI development tooling is maturing fast, and a lot of it ships with convenience defaults, like passwordless auto-login, that made sense for a laptop prototype and make no sense on an internet-facing server. As these platforms move from experiments into production, the security assumptions baked into their defaults deserve the same scrutiny you'd give any other exposed web application. Treat your AI build infrastructure as part of your attack surface, because attackers already do.
Comments
Please log in or register to join the discussion