CVE-2026-5027 — 7,000 Langflow Instances Under Active Attack via Path Traversal to RCE

AI relevance: Langflow is a widely deployed low-code AI agent orchestration platform — compromise of its file upload endpoint gives attackers a shell on the host running LLM API keys, database credentials, and CRM tokens.

• CVE-2026-5027 (CVSS 8.8) is a path traversal in Langflow's POST /api/v2/files endpoint. The filename is taken directly from form data and written to disk without sanitization, letting attackers drop files anywhere the process can write.
• Langflow ships with auto-login enabled by default. An exposed instance requires zero authentication — a single unauthenticated request reaches the vulnerable endpoint.
• VulnCheck confirmed active exploitation in the wild on June 9: "Our Canaries observed exploitation of CVE-2026-5027 that successfully leveraged the path traversal to write what appear to be test files on victim systems."
• Censys identified approximately 7,000 exposed Langflow instances on the internet, predominantly in North America.
• This is the third Langflow RCE flaw to draw active exploitation in 2026, after CVE-2025-34291 (weaponized by Iran's MuddyWater, added to CISA KEV in May) and CVE-2026-33017.
• The patch shipped in version 1.9.0 on April 15. Attacks began in June — a nearly two-month gap between fix and exploitation that caught unpatched deployments flat-footed.
• Check Point Research separately chained SQL injection in LangGraph's SQLite checkpointer (CVE-2025-67644, CVSS 7.3) with an unsafe msgpack deserialization (CVE-2026-28277, CVSS 6.8) to achieve full RCE through the checkpoint persistence layer.
• Cyera documented CVE-2026-34070 (CVSS 7.5) in langchain-core: a path traversal in load_prompt() that reads arbitrary files including .env containing OPENAI_API_KEY and ANTHROPIC_API_KEY.

Why it matters

These are not exotic AI-specific vulnerabilities — they are classic AppSec bugs (path traversal, SQL injection, unsafe deserialization) living inside new AI agent infrastructure. The WAF doesn't see a msgpack decoder running three layers down. The EDR watches the agent server make the same process calls it makes a thousand times a day. Nobody scoped the framework itself as the thing that could turn on you. Langflow, LangGraph, and LangChain became production infrastructure faster than anyone secured them.

What to do

• Upgrade Langflow to ≥1.9.0 immediately. Upgrade langgraph-checkpoint-sqlite to ≥3.0.1, langgraph to ≥1.0.10, langgraph-checkpoint-redis to ≥1.0.2.
• Upgrade langchain-core to ≥1.2.22 (for CVE-2026-34070) and ≥1.2.5 (for CVE-2025-68664). Both must be cleared.
• Disable auto-login on all Langflow deployments. Put instances behind authentication and network segmentation.
• Audit exposed instances via Censys/Shodan. If yours is internet-facing and unpatched, assume compromise and rotate all credentials the host could reach.
• Treat AI agent frameworks as security boundaries, not developer convenience tools — they hold the keys to your databases, CRMs, and LLM providers.

Sources

• VentureBeat — 7,000 Langflow servers under attack
• The Stack — Langflow instances exploited again
• Cyera — LangDrained: LangChain/LangGraph/Langflow vulnerabilities
• Check Point Research — LangGraph checkpointer SQL injection to RCE