CVE-2026-33309

Name of the Vulnerable Software and Affected Versions Langflow versions 1.2.0 through 1.8.1

Description Langflow, a tool for building and deploying AI-powered agents and workflows, contains a security flaw that allows authenticated attackers to write files anywhere on the host system, potentially leading to Remote Code Execution (RCE). The root architectural issue within LocalStorageService remains unresolved due to a lack of boundary containment checks in the underlying storage layer. The system relies entirely on the HTTP-layer ValidatedFileName dependency, which fails to protect against this issue. Specifically, the POST /api/v2/files/ endpoint is vulnerable because the multipart upload filename bypasses the path-parameter guard. The vulnerability exists in two layers: the API layer (src/backend/base/langflow/api/v2/files.py:162) and the storage layer (src/backend/base/langflow/services/storage/local.py:114-116). The filename is extracted directly from the multipart Content-Disposition header and used in naive path concatenation without proper validation. A proof-of-concept demonstrates the ability to write a file outside the user's storage directory using directory traversal techniques. Successful exploitation could allow attackers to overwrite critical system files, inject malicious Python components, or compromise the system's security.

Recommendations Langflow versions prior to 1.9.0 are affected. Update to version 1.9.0 to resolve the vulnerability.