PT-2026-50598 · Pypi · Langflow

Published

2026-06-17

Updated

2026-06-19

CVE-2026-55450

CVSS v3.1

9.3

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H

Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.9.1

Description Unauthenticated users with network access can upload unlimited amounts of data to the server, which can lead to disk space exhaustion and a subsequent denial-of-service. Additionally, the server leaks the absolute path of the uploaded file in the response, providing information that could be used to facilitate further attacks. The issue exists in the create upload file() function within the '/upload/{flow id}' endpoint, where there is a lack of authentication and validation for the flow id variable.

Recommendations Update to version 1.9.1. As a temporary workaround, restrict network access to the '/upload/{flow id}' endpoint to minimize the risk of exploitation.

Fix

Resource Exhaustion

Information Disclosure

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-200CWE-306

Related Identifiers

CVE-2026-55450

GHSA-X223-P2GF-V735

Affected Products

Langflow

PT-2026-50598 · Pypi · Langflow

CVE-2026-55450

Weakness Enumeration

Related Identifiers

Affected Products

References · 5