CVE-2026-5027 PUBLISHED

Langflow - Path Traversal Arbitrary File Write via upload_user_file

Assigner: tenable
Reserved: 27.03.2026 Published: 27.03.2026 Updated: 27.03.2026

The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../').

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	langflow-ai
Product	langflow
Versions	Default: unaffected Version 0 is affected

References

https://www.tenable.com/security/research/tra-2026-26

Problem Types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory CWE