Langflow Flaw Lets Hackers Write Files on AI Servers

Why are attackers able to write arbitrary files through Langflow on exposed AI development servers months after the flaw entered public view?

Attackers are actively exploiting CVE-2026-5027, a high-severity path traversal vulnerability in Langflow that lets them write files to arbitrary locations on vulnerable servers, according to BleepingComputer. The issue hits a platform used to build AI applications, AI agents, RAG systems, and MCP-based workflows through a drag-and-drop interface.

Langflow’s reach is not niche. The open-source project has more than 149,000 stars and 9,200 forks on GitHub, which means a flaw in a default-exposed deployment can turn into a wide defensive scramble fast.

How does CVE-2026-5027 turn a file upload into arbitrary file writes?

The bug sits in Langflow’s file upload functionality. Specifically, CVE-2026-5027 affects the POST /api/v2/files endpoint, where Langflow fails to properly sanitize the filename parameter submitted through multipart form data.

That matters because attackers can use path traversal sequences such as ../ to escape the intended upload location and write files elsewhere on the server.

"The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../')," Tenable said, according to the report.

Tenable discovered the flaw at the start of the year. It publicly disclosed the issue on March 27, 2026, more than two months after initially reporting it to the Langflow team without receiving a response, BleepingComputer reported.

The patch trail is slightly split. Tenable’s advisory did not mention a fix, but Snyk Security reported on March 30, 2026 that the issue was fixed in the langflow-base package version 0.8.3. The Langflow application itself received a patch in version 1.9.0.

Langflow users are now being told to upgrade to version 1.10.0, which the report says was published earlier the same day as the BleepingComputer article.

Why does unauthenticated access make this flaw more dangerous?

The harder problem is not just the upload bug. It’s how easily attackers may reach it on exposed deployments.

VulnCheck security researcher Caitlin Condon said the company’s honeypots have detected exploitation of the vulnerability, with attackers dropping test files on vulnerable instances.

"Because Langflow enables unauthenticated auto-login by default, no credentials are required to reach the vulnerable endpoint, and a single unauthenticated request is sufficient to obtain a valid session token before proceeding with exploitation," Condon wrote, according to the report.

That detail changes the defensive priority. If no credentials are needed in default-exposed configurations, internet-facing Langflow servers become the first systems to check.

Censys scans identified roughly 7,000 publicly exposed Langflow instances, according to Condon. That number needs caution. The report says the Censys data includes historical scan results from the previous 12 months, so it may not reflect how many systems are exposed right now.

Still, the exposure signal is enough to force action. The confirmed facts are narrower than the worst-case scenarios: VulnCheck observed test-file drops, not ransomware deployment or named malware campaigns through this specific flaw. But arbitrary file write is the kind of primitive defenders don’t ignore.

How far can arbitrary file write go on a vulnerable Langflow server?

Observed exploitation so far, as described in the source material, involves attackers dropping test files. That’s often a validation step: prove the write works, then decide whether the server is useful.

Analysis: Arbitrary file write can become much more serious depending on server permissions, filesystem layout, and what directories the Langflow process can reach. In some setups, a write primitive can enable web shell placement, configuration tampering, persistence, or follow-on code execution. Those outcomes are not confirmed in this CVE-2026-5027 activity, but they are the reason security teams treat file-write bugs as takeover risks rather than mere nuisance flaws.

Langflow’s role raises the stakes. It is used to build and run AI workflows, including agent and RAG pipelines. The source material does not say what data the exploited servers contained, and it does not confirm theft of credentials, prompts, documents, or model outputs. That remains unknown.

What is clear is that Langflow has been under repeat pressure. BleepingComputer says exploitation of CVE-2026-5027 follows earlier activity targeting other Langflow vulnerabilities this year, including CVE-2026-0770, CVE-2026-21445, and CVE-2026-33017.

Last year, CISA also warned about active exploitation of CVE-2025-3248. Condon said VulnCheck continues to observe activity against that issue, including activity linked to the Iranian threat group MuddyWater.

For readers following XOOMAR’s broader vulnerability coverage, recent reporting includes CVSS 10 Ivanti Sentry Bug Hands Hackers Root Access and Low-Privilege Users Can Attack Backups in Veeam RCE.

Which Langflow systems should defenders treat as urgent?

Start with anything internet-facing. The source material points to exposed Langflow instances, unauthenticated auto-login by default, and exploitation through a single endpoint. That makes asset inventory the first real control.

Security teams should prioritize:

• Upgrade: Move Langflow to the latest release, version 1.10.0, as recommended in the report.
• Verify versions: Check whether deployments are still running vulnerable application versions before 1.9.0 or affected langflow-base packages before 0.8.3.
• Reduce exposure: If patching cannot happen immediately, restrict public access to Langflow instances until they can be updated.
• Review endpoint activity: Look for requests to POST /api/v2/files that include path traversal patterns such as ../ in filename data.
• Check file changes: Review unexpected files created around the time of suspicious Langflow upload activity, especially if the server was publicly reachable.

That last point should stay disciplined. The report confirms test-file drops. It does not provide a full list of indicators of compromise, malware filenames, attacker IPs, or post-exploitation commands.

Which questions decide whether this stays contained?

The next phase depends on evidence that has not been published yet.

Defenders should watch for vendor updates, VulnCheck follow-up, and any indicators tied to exploitation beyond test-file placement. The key question is whether attackers are using CVE-2026-5027 only to identify vulnerable Langflow servers, or whether the flaw is already part of broader intrusion chains.

The practical answer for now is blunt: exposed Langflow servers should not wait for that clarity. Patch to 1.10.0, verify the file upload endpoint is no longer vulnerable, and treat unexplained file writes on internet-facing instances as a live incident until logs prove otherwise.

Impact Analysis

• Attackers can exploit CVE-2026-5027 to write files to arbitrary locations on vulnerable Langflow servers.
• Langflow’s large open-source footprint means exposed deployments could create a broad security risk.
• The flaw affects AI development infrastructure used to build agents, RAG systems, and MCP-based workflows.