Ddlxstudio

**Name of the Vulnerable Software and Affected Versions** Langflow versions prior to 1.9.0 **Description** Langflow is a tool for building and deploying AI-powered agents and workflows. A path traversal flaw exists in the Knowledge Bases API endpoint "DELETE /api/v1/knowledge bases" within the `delete knowledge bases bulk()` function. The issue arises because user-supplied knowledge base names provided in the `kb names` parameter are concatenated directly into file paths without proper sanitization or boundary validation. This allows an authenticated attacker to use traversal sequences (e.g., `../`) to escape the intended directory and trigger the `shutil.rmtree()` function to delete arbitrary directories on the server's filesystem. This can lead to cross-tenant data loss, deletion of critical application files, and potential service disruption. **Recommendations** Update to version 1.9.0. As a temporary workaround, restrict access to the "DELETE /api/v1/knowledge bases" API endpoint to minimize the risk of exploitation.