{"data":{"id":"94956f48-8b7c-4e88-9e99-04405ca53a87","title":"GHSA-ccv6-r384-xp75: Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit","summary":"Langflow's file-reading components (like Read File and Docling) have a vulnerability where attackers can use symlinks (shortcuts that point to other files) hidden inside compressed files to read any file on the system, potentially stealing secret keys and executing arbitrary code. An attacker could steal the JWT token secret (used for authentication), forge login tokens for any user, and then run malicious code through the Python Interpreter node.","solution":"Upgrade to Langflow version 1.9.2 or later. The fix modifies the `BaseFileComponent._unpack_bundle` function to reject symlinks, hardlinks, and other non-regular file entries during TAR extraction, and adds additional symlink filtering during directory recursion and after extraction.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-ccv6-r384-xp75","publishedAt":"2026-06-19T21:18:24.000Z","cveId":"CVE-2026-55447","cweIds":null,"cvssScore":null,"cvssSeverity":"critical","severity":"critical","attackType":["data_extraction","supply_chain"],"issueType":"vulnerability","affectedPackages":["langflow@< 1.9.2 (fixed: 1.9.2)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["Langflow","Docling","NVIDIA","Unstructured"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-06-19T21:18:24.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"rag","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":["AML.T0010"]}}