PT-2026-49342 · Pypi · Langflow

Publicado

2026-06-15

·

Atualizado

2026-06-16

·

CVE-2026-48520

CVSS v3.1

6.1

Média

VetorAV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Summary

The "Shareable Playground" (or "Public Flows" in code) contains a potential arbitrary file-read vulnerability, depending on the exact flow configuration used.
By making a flow public, public execution of the flow is allowed. The execution request can contain a list of files that gets read by Langflow and fed into the LLM. The files path can be any path supported by the storage - it can be either a local file or S3 path if supported by the local configuration

Details

Shareable Playground feature works by enabling the execution of workflows by unauthenticated users, by accessing a link. Specifically, it enables the route /api/v1/build public tmp to execute any public flow, given a public flow ID. This request contains a files field that can contain a list of files. The files get read in LCModelComponent. get chat result in a call to to lc message. A detailed stacktrace:
...
 File "/Users/ori/Work/research/langchain/langflow/src/backend/base/langflow/api/build.py", line 466, in build vertices
  vertex build response: VertexBuildResponse = await build vertex(vertex id, graph, event manager)
 File "/Users/ori/Work/research/langchain/langflow/src/backend/base/langflow/api/build.py", line 324, in build vertex
  vertex build result = await graph.build vertex(
 File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/graph/base.py", line 1563, in build vertex
  await vertex.build(
 File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/vertex/base.py", line 770, in build
  await step(user id=user id, event manager=event manager, **kwargs)
 File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/events/observability/lifecycle events.py", line 95, in wrapper
  result = await observed method(self, *args, **kwargs)
 File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/vertex/base.py", line 411, in build
  await self. build results(
 File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/graph/vertex/base.py", line 640, in build results
  result = await initialize.loading.get instance results(
 File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/interface/initialize/loading.py", line 76, in get instance results
  return await build component(params=custom params, custom component=custom component)
 File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/interface/initialize/loading.py", line 299, in build component
  build results, artifacts = await custom component.build results()
 File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/custom/custom component/component.py", line 1136, in build results
  return await self. build with tracing()
 File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/custom/custom component/component.py", line 1118, in build with tracing
  results, artifacts = await self. build results()
 File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/custom/custom component/component.py", line 1163, in build results
  result = await self. get output result(output)
 File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/custom/custom component/component.py", line 1238, in get output result
  result = await method() if inspect.iscoroutinefunction(method) else await asyncio.to thread(method)
 File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/base/models/model.py", line 88, in text response
  result = await self.get chat result(
 File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/base/models/model.py", line 180, in get chat result
  return await self. get chat result(
 File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/base/models/model.py", line 232, in get chat result
  messages.append(input value.to lc message(self.name))
 File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/schema/message.py", line 184, in to lc message
  file contents = self.get file content dicts(model name)
 File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/schema/message.py", line 256, in get file content dicts
  content dicts.append(create image content dict(file, None, model name))
 File "/Users/ori/Work/research/langchain/langflow/src/lfx/src/lfx/utils/image.py", line 96, in create image content dict
  ...
This triggers Langflow to feed the file into the LLM as an Image. Reading the files back depends on the specific LLM configuration.

PoC

Reproduction:
  1. Create a new flow and add a Chat Input node to it
  2. Share the flow ("Shareable Playground")
  3. Access the public link with the browser developers tools open and execute the flow.
  4. Find the /api/v1/build public tmp route and copy as cURL
  5. Edit the files JSON field to point to any file.

Impact

Potential file read (local or S3) if shareable playground feature is used.
Ori Lahav Security Researcher @ Rubrik Inc.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-73

Identificadores relacionados

CVE-2026-48520
GHSA-RCJH-R59H-GQ37

Produtos afetados

Langflow