CVE-2026-5027

Name of the Vulnerable Software and Affected Versions Langflow versions (affected versions not specified)

Description The 'POST /api/v2/files' endpoint is susceptible to a path traversal issue due to insufficient sanitization of the filename parameter received through multipart form data. This allows attackers to write files to arbitrary locations on the filesystem by utilizing path traversal sequences such as '../'. Successful exploitation could lead to remote code execution in certain deployments.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.