Skip to content
💻 AppSec

Langflow CVE-2026-5027 Exploitation Accelerates: AI Workflow Builder's Path Traversal RCE Under Active Attack

Exploitation of CVE-2026-5027 in Langflow, the AI workflow builder, has intensified following public PoC release. The path traversal remote code execution vulnerability, added to CISA's KEV on 8 June, is being used to deploy credential stealers and post-exploitation agents against organisations running unsecured Langflow instances. Upgrade to Langflow 1.3.5 immediately.

4 min read
#langflow#cve-2026-5027#ai-infrastructure#rce#path-traversal#cisa-kev#actively-exploited#python#ai-workflow#llm
Article software-development-security

Exploitation of CVE-2026-5027 in Langflow — an open-source platform for building AI-powered applications and workflows — has escalated significantly in the 48 hours following CISA’s addition of the vulnerability to the Known Exploited Vulnerabilities catalogue on 8 June. Threat intelligence sources report active scanning and exploitation campaigns targeting internet-exposed Langflow instances, with confirmed deployment of credential-stealing payloads and persistence mechanisms on compromised hosts.

Vulnerability Details

CVE-2026-5027 is a path traversal vulnerability in Langflow’s file upload and component processing functionality. Langflow allows users to upload custom Python components — code extensions that can integrate with external APIs, databases, and other services. The vulnerability arises from insufficient path validation in the component loading code, which allows a malicious upload to traverse outside the intended directory and write files to arbitrary locations on the Langflow server.

The practical exploitation path combines path traversal with Langflow’s Python code execution capability:

  1. Upload a malicious “component” file using the path traversal to place it in a Python-importable location
  2. Trigger Langflow’s component loading mechanism to import and execute the malicious Python code
  3. Python execution occurs with the privilege of the Langflow process — typically the user running the service, which in many deployments is root or an overly-privileged service account

CVSS score: 9.8 (Critical). Network attack vector, no authentication required in default Langflow configurations, no user interaction, full system compromise.

Authentication gap: Langflow is commonly deployed without authentication enabled, particularly in development and internal deployment scenarios. The default Langflow configuration does not require login for the API or the visual workflow editor. Organisations that deployed Langflow for internal use without enabling authentication have effectively provided unauthenticated internet-exposed Python code execution to any attacker who can reach the service.

Affected versions: Langflow 1.3.4 and earlier. Fixed version: Langflow 1.3.5.

Active Exploitation Activity

Threat intelligence sources tracking exploitation activity report:

  • Mass scanning campaigns targeting TCP port 7860 (Langflow’s default port) from multiple infrastructure clusters
  • Exploitation attempts using publicly available PoC payloads within hours of PoC publication on 8 June
  • Confirmed compromises with post-exploitation payloads including Python-based credential stealers targeting stored API keys, database connection strings, and cloud provider credentials in the Langflow environment
  • Deployment of reverse shells and persistence mechanisms in /etc/cron.d/ on compromised Linux hosts

The primary targets appear to be AI development environments where Langflow stores high-value credentials: LLM provider API keys (OpenAI, Anthropic, Google), cloud infrastructure credentials (AWS, Azure, GCP), and internal API tokens used by Langflow workflows.

Enterprise Exposure Assessment

Organisations should identify all Langflow deployments in their environment. Langflow is frequently deployed outside formal IT procurement processes — by data science, AI development, or innovation teams — on cloud instances, developer workstations, or internal servers without security review. The risk profile includes:

  • Development environments with production credentials: Langflow workflows frequently connect to production LLM APIs, databases, and cloud services. Compromise of a development Langflow instance provides these production credentials.
  • Internet-exposed instances: Langflow’s default configuration listens on all interfaces and does not require authentication. Any Langflow instance accessible from the internet without authentication is immediately exploitable.
  • Container deployments: Langflow is commonly deployed as a Docker container. Container isolation provides limited protection — the path traversal and code execution vulnerability operates within the container, and in deployments where production credentials are mounted as environment variables or volumes, those credentials are accessible.

Update to Langflow 1.3.5 immediately: pip install langflow==1.3.5 or pull the updated Docker image.

Inventory all Langflow deployments: Query cloud infrastructure (AWS EC2, Azure VMs, GCP Compute) for instances running Langflow. Search CI/CD systems and container registries for Langflow container deployments. This includes shadow IT deployments by development teams.

Enable authentication: If Langflow 1.3.5 is not immediately deployable, enable Langflow’s built-in authentication (LANGFLOW_AUTO_LOGIN=false and configuring a superuser password). This raises the exploitation bar from unauthenticated to authenticated.

Network access control: Block public internet access to Langflow instances that do not require external access. Langflow should be accessible only from the developer workstations and systems that legitimately use it.

Rotate credentials: For any Langflow instance that may have been exposed, rotate all API keys and credentials stored in Langflow’s component configuration or environment variables.

Share this article

Related Intelligence

💻 AppSec

The AI Infrastructure Security Deficit: Langflow, LiteLLM, and a Repeating Pattern

Two AI infrastructure components — Langflow and LiteLLM — have reached the CISA Known Exploited Vulnerabilities catalogue in June 2026, both with command injection vulnerabilities in Python-based AI tooling. The pattern reflects a systemic gap: AI infrastructure is being deployed in enterprise environments under procurement and security processes designed for end-user applications, not for server-side infrastructure with network-accessible APIs.

#ai-infrastructure +9
💻 AppSec

Langflow RCE CVE-2026-33017 Exploited Within 20 Hours, Added to CISA KEV

A critical unauthenticated remote code execution vulnerability in Langflow AI pipeline builder was exploited in the wild within 20 hours of disclosure, with attackers harvesting API keys for OpenAI, Anthropic, and AWS from compromised instances. CISA added CVE-2026-33017 to the Known Exploited Vulnerabilities catalogue on 26 March, making patching mandatory for US federal agencies.

#langflow +7
💻 AppSec

CVE-2026-42271: BerriAI LiteLLM Command Injection Reaches CISA KEV — AI Infrastructure Under Attack

CISA added CVE-2026-42271 in BerriAI LiteLLM to the Known Exploited Vulnerabilities catalogue on 8 June, confirming active exploitation of a command injection vulnerability that allows API keys with limited privileges to execute arbitrary commands on the LiteLLM host. Organisations running LiteLLM as an AI gateway should update to v1.83.7-stable immediately.

#litellm +7