Path traversal in Langflow exploited to write files
🛡️ A high-severity path traversal flaw (CVE-2026-5027) in the AI development platform Langflow is being actively exploited to write arbitrary files to exposed servers. Tenable discovered the issue, which stems from unsanitized filenames in the POST /api/v2/files endpoint, and disclosed it on March 27, 2026. Patches were released in langflow-base 0.8.3 and Langflow 1.9.0, and users are urged to upgrade to version 1.10.0.
