GHSA-ccv6-r384-xp75: Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit
Summary
Langflow's file-reading components (like Read File and Docling) have a vulnerability where attackers can use symlinks (shortcuts that point to other files) hidden inside compressed files to read any file on the system, potentially stealing secret keys and executing arbitrary code. An attacker could steal the JWT token secret (used for authentication), forge login tokens for any user, and then run malicious code through the Python Interpreter node.
Solution / Mitigation
Upgrade to Langflow version 1.9.2 or later. The fix modifies the `BaseFileComponent._unpack_bundle` function to reject symlinks, hardlinks, and other non-regular file entries during TAR extraction, and adds additional symlink filtering during directory recursion and after extraction.
Vulnerability Details
EPSS: 0.0%
Yes
June 19, 2026
Classification
Taxonomy References
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-ccv6-r384-xp75
First tracked: June 19, 2026 at 08:01 PM
Classified by LLM (prompt v3) · confidence: 95%