A critical vulnerability in AI toolkit Langflow is getting exploited in the wild – but has yet to hit CISA’s KEV, a week after exploitation was first reported.
The vulnerability, allocated CVE-2026-5027, is the third Langflow vulnerability to see active exploitation in 2026. CVE-2026-33017 and more recently CVE-2025-34291 have both used to breach Langflow instances.
The vulnerability was reported to Langflow’s maintainers by cybersecurity firm Tenable in January. It took them six months to acknowledge and push a fix, Tenable’s disclosure timeline shows. Version 1.9.0 is now patched.
Tenabl’s vulnerability description said simply:
“The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../').
Caitlin Condon, VP, security research at VulnCheck, said on June 9: “Our Canaries observed exploitation of CVE-2026-5027 that successfully leveraged the path traversal to write what appear to be test files on victim systems.”
Langflow is a low-code visual interface for building, testing, and deploying LLM applications and multi-agent systems. It has been starred over 150,000 times on GitHub and has a lively community of 378 contributors.
The company Langflow – creator and primary maintainer of Langflow the open-source project – was bought by DataStax in 2024. DataStax was in turn bought by IBM in early 2025. Langflow is primarily used by developers, data scientists, and product managers to spin up AI-powered applications.
Some common use cases include:
All of those things have made it very popular indeed.
An attitude of “build fast and don’t secure things” seems to prevail however when it comes to LangFlow and similar tools.
Censys puts it at 7,000 instances exposed. Jim Sherlock, VP AI & Cybersecurity R&D at ProCircular, said in an emailed comment that it was more like 74,000. (The Stack has asked for more details on that discrepancy/search terms and will update this article when we have a response.)
Sherlock said: “Because the platform ships with login disabled by default, exploitation takes a single request with no credentials, resulting in full takeover of the machine…”
He added: “Orchestration platforms are now a permanent part of an organization's external attack surface, and most companies have no idea how many they're running. Through 2025, teams everywhere stood up Langflow, Flowise, n8n, Dify, and similar low-code tools to prototype agents and LLM workflows.
“These deployments rarely got the hardening a production web app would. They run with default authentication settings and sit on public IPs because someone needed to demo a flow to a stakeholder, and nobody owns patching them… you can blame fast-moving open source projects, immature security response, and users who deploy first and secure never.
“A no-credentials-by-default setup is exactly the kind of thing that survives in shadow deployments nobody is reviewing. [Firms need to] commit to continuous external attack surface monitoring that treats AI tooling as a first-class asset category.
Point-in-time scans miss these systems because they come and go on the schedule of individual developers, not change management. Organizations should be continuously fingerprinting their external surface for Langflow, Flowise, and the rest of the AI orchestration stack, flagging anything new within hours instead of finding it during an incident. When something turns up, get it behind a VPN or firewall, turn on authentication, and give it an owner who patches it like production. If it's reachable from the internet, attackers are already treating it that way."
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。