Unpatched Langflow Flaw CVE-2026-5027 Hands Attackers Unauthenticated RCE on AI App Servers

Langflow, the popular open-source tool for visually wiring together AI applications, is now the subject of active attacks. VulnCheck reports that CVE-2026-5027, a high-severity path traversal flaw rated 8.8 on the CVSS scale, is being exploited in the wild against internet-facing instances. The problem is straightforward to describe and ugly to deal with: the POST /api/v2/files endpoint never sanitizes the filename field from a multipart upload, so an attacker can stuff ../ sequences into it and drop files anywhere the Langflow process can write.

That alone would be bad. What turns it into a clean unauthenticated remote code execution chain is a default setting most operators never think about.

Why one request is enough

Caitlin Condon, vice president of security research at VulnCheck, spelled out the mechanics in a LinkedIn post. "Because Langflow enables unauthenticated auto-login by default, no credentials are required to reach the vulnerable endpoint," she wrote. "A single unauthenticated request is sufficient to obtain a valid session token before proceeding with exploitation."

Read that again, because it's the part that matters operationally. There is no login wall to bruteforce, no token to steal, no phishing step. The auto-login behavior that makes Langflow pleasant to run on your laptop becomes the front door when the same instance is exposed to the internet. The attacker grabs a session, posts a file with a traversal path, and writes wherever they want. From arbitrary file write to code execution is a short walk on a Python application server, whether that means dropping a malicious config, planting a file in a path that gets imported, or overwriting something the runtime trusts.

Tenable, which discovered the flaw, described the upload weakness plainly in its late-March advisory: the endpoint "does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences."

A disclosure that went nowhere

The timeline here is worth sitting with, because it explains why this is an unpatched flaw rather than a routine patch-it-and-move-on story. Tenable says it tried to reach the Langflow maintainers three separate times across January and February 2026. After those attempts went unanswered, the company published details on March 27. Months later, there is still no fix, and the exploitation has started.

This is the awkward reality of depending on fast-moving open-source projects for production infrastructure. The Langflow project ships features quickly, which is exactly why teams like it, but coordinated disclosure only works when someone on the other end is reading the inbox. When that channel breaks down, defenders are left holding a public advisory, a growing pool of attacker interest, and no upstream patch to apply.

How bad is the exposure

Censys data puts roughly 7,000 Langflow instances on the public internet, most of them in North America. So far the observed exploitation looks like reconnaissance rather than full compromise. "Exploitation efforts so far appear to weaponize the bug to write test files on victim systems," according to VulnCheck's findings. That pattern, writing a harmless marker file to confirm the bug works, is a familiar prelude. Attackers fingerprint what's vulnerable first, then come back to monetize it. If your instance is exposed, treat a benign test file as a warning shot, not an all-clear.

CVE-2026-5027 also doesn't exist in isolation. It lands in the middle of a rough year for Langflow, which has seen a string of exploited vulnerabilities including CVE-2026-0770, CVE-2026-33017, CVE-2026-21445, and CVE-2025-34291. That last one was picked up by MuddyWater, the Iranian state-sponsored group, which tells you the tooling has graduated from opportunistic crime to nation-state interest.

"The activity underscores a growing trend of attackers targeting the infrastructure and tooling that organizations use to build and deploy AI applications," VulnCheck said in a statement to The Hacker News. That trend is the real headline. The AI build stack, the orchestration layers, the agent frameworks, the low-code glue, has expanded faster than its security review has, and adversaries have noticed that these services frequently run with broad filesystem and network access while sitting one misconfiguration away from the open internet.

What to actually do right now

With no patch available, your defense has to come from configuration and network posture. Concrete steps:

• Get Langflow off the public internet. There is rarely a good reason for a flow-building tool to be directly reachable from anywhere. Put it behind a VPN or an authenticated reverse proxy, and restrict source IPs. This single change neutralizes the unauthenticated attack path for almost everyone.
• Disable auto-login. The default unauthenticated login is the multiplier that makes this trivially exploitable. Set the relevant superuser and auth environment variables so that a real credential is required, and confirm the endpoint actually rejects anonymous requests afterward.
• Run it as an unprivileged user in a constrained container. Arbitrary file write is far less useful to an attacker when the process can't write to anything interesting and the container is read-only where it can be. Drop capabilities, mount the filesystem read-only outside of needed paths, and avoid running as root.
• Hunt for the indicators now. Search your hosts for unexpected files written by the Langflow process, especially outside its normal upload directory, and review web logs for POST /api/v2/files requests carrying ../ in the filename. A test file you didn't create is reason to assume the instance is on someone's list.
• Watch the repository for a fix. Track the GitHub project and the VulnCheck advisory so you can apply a patch the moment one ships, rather than learning about it weeks late.

The broader lesson extends past this one CVE. Every AI orchestration tool you deploy is an application server with the access of an application server, and it deserves the same scrutiny you'd give any other internet-facing service: authentication on by default, least privilege, network segmentation, and a monitored channel for security reports. Langflow's value as a rapid prototyping platform is real, but rapid prototyping defaults and production exposure are a dangerous combination. Treat the tool that builds your AI apps with the same seriousness you'd treat the apps themselves.