Langflow RCE under active attack months after a patch was shipped
Summary
Langflow, an open-source platform for building AI applications, has a path traversal vulnerability (CVE-2026-5027, rated 8.8 CVSS, a measure of how severe a vulnerability is) that allows attackers to write files to any location on a system and potentially execute remote code. The flaw is particularly dangerous because Langflow has login disabled by default, letting unauthenticated users exploit it with a single request, and attackers are actively using public exploit code to attack the approximately 7,000 internet-exposed instances.
Solution / Mitigation
Update Langflow to version 1.9.0 or later (current version is 1.10.0). The vulnerability affects versions up to 1.8.4, and the fix was released on April 15.
Classification
Affected Vendors
Related Issues
Original source: https://www.csoonline.com/article/4185063/langflow-rce-under-active-attack-months-after-a-patch-was-shipped.html
First tracked: June 15, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%