CVE-2026-6596

Name of the Vulnerable Software and Affected Versions langflow-ai langflow versions prior to 1.1.1

Description An unrestricted file upload flaw exists in the API Endpoint component. The issue is located in the create upload file() function within the file 'src/backend/base/Langflow/api/v1/endpoints.py'. This allows a remote attacker to upload files without proper restrictions. Over 2,900 internet-facing instances have been identified as potentially exposed.

Recommendations Update to a version later than 1.1.0. As a temporary workaround, restrict access to the create upload file() function until a patch is applied.