CVE-2026-55450 PUBLISHED

Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak

Assigner: GitHub_M
Reserved: 16.06.2026 Published: 23.06.2026 Updated: 23.06.2026

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaustion on the server. In addition, in the response, the absolute path of the uploaded file is reported to the attacker, which is an information leak that can assist in chaining other primitives. This vulnerability is fixed in 1.9.1.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H
CVSS Score: 9.3

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	langflow-ai
Product	langflow
Versions	Version < 1.9.1 is affected

References

Problem Types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE
CWE-306: Missing Authentication for Critical Function CWE
CWE-400: Uncontrolled Resource Consumption CWE