Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42867

CVE-2026-42867: Langflow Path Traversal Vulnerability

CVE-2026-42867 is a path traversal vulnerability in Langflow that allows authenticated attackers to create directories and write files anywhere on the server. This post covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-42867 Overview

CVE-2026-42867 is a path traversal vulnerability [CWE-22] affecting Langflow, an open-source tool for building and deploying AI-powered agents and workflows. The flaw resides in the Knowledge Bases API endpoint POST /api/v1/knowledge_bases. User-supplied knowledge base names are used directly to construct file paths without sanitization or containment checks. An authenticated attacker can create directories and write files anywhere on the server's filesystem. The issue affects all Langflow versions prior to 1.9.0 and is fixed in release 1.9.0.

Critical Impact

Authenticated attackers can write arbitrary files outside the intended knowledge base directory, enabling configuration tampering, persistence, and potential code execution paths on the host running Langflow.

Affected Products

  • Langflow versions prior to 1.9.0
  • Langflow self-hosted deployments exposing the Knowledge Bases API
  • Containerized Langflow instances using default storage paths

Discovery Timeline

  • 2026-06-23 - CVE-2026-42867 published to NVD
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2026-42867

Vulnerability Analysis

The vulnerability exists in the Knowledge Bases API at POST /api/v1/knowledge_bases. Langflow accepts a knowledge base name from the request body and concatenates it into a filesystem path used to persist knowledge base assets. The code does not normalize the name, reject path separators, or verify that the resolved path remains inside the intended storage directory.

An authenticated attacker can submit a name containing traversal sequences such as ../../ or absolute path components. Langflow then creates directories and writes files at the attacker-controlled location with the privileges of the Langflow process. Outcomes include overwriting configuration files, planting startup scripts, and writing into web-accessible directories.

The attack requires authentication but no user interaction. In deployments where account creation is open, where credentials are shared across teams, or where Langflow runs behind weak access controls, the authentication barrier provides limited protection.

Root Cause

The root cause is missing input validation on the knowledge base name field. The application trusts the supplied string as a safe path segment and fails to apply canonicalization or a containment check against the base storage directory. This pattern is classified under [CWE-22] Improper Limitation of a Pathname to a Restricted Directory.

Attack Vector

Exploitation is performed over the network against the Langflow HTTP API. The attacker authenticates, then issues a crafted POST /api/v1/knowledge_bases request with a name value containing traversal sequences. The server resolves the path outside the storage root and creates the attacker-controlled directory and files. No exploit code is publicly available at the time of publication.

Refer to the GitHub Security Advisory GHSA-79ph-745m-6wxq and the GitHub Pull Request #12337 for the upstream fix details.

Detection Methods for CVE-2026-42867

Indicators of Compromise

  • Requests to POST /api/v1/knowledge_bases containing .., %2e%2e, or absolute path characters in the name field
  • New files or directories appearing outside the configured Langflow knowledge base storage path
  • Unexpected writes to system directories, web roots, or user home directories by the Langflow service account
  • Modifications to Langflow configuration files or startup scripts following knowledge base API activity

Detection Strategies

  • Inspect HTTP request bodies to the Knowledge Bases endpoint for path traversal patterns and reject them at a reverse proxy or WAF
  • Correlate API access logs with filesystem audit logs to identify writes outside the expected storage directory
  • Alert on any directory creation by the Langflow process outside its designated data path

Monitoring Recommendations

  • Enable filesystem auditing (auditd on Linux) on directories adjacent to the Langflow storage path
  • Forward Langflow application and access logs to a centralized log platform for retention and query
  • Baseline normal knowledge base naming conventions and alert on deviations

How to Mitigate CVE-2026-42867

Immediate Actions Required

  • Upgrade Langflow to version 1.9.0 or later, which contains the official fix
  • Restrict network access to the Langflow API to trusted users and networks until patching is complete
  • Audit existing knowledge base directories for entries with suspicious or traversal-style names
  • Review filesystem activity by the Langflow service account for unauthorized writes

Patch Information

The vulnerability is fixed in Langflow 1.9.0. The upstream patch is available in GitHub Pull Request #12337 and documented in the GitHub Security Advisory GHSA-79ph-745m-6wxq. Operators should apply the upgrade rather than rely on workarounds.

Workarounds

  • Place Langflow behind a reverse proxy that rejects requests containing path traversal characters in JSON request bodies
  • Run Langflow under a dedicated low-privilege user account with write access limited to the storage directory
  • Deploy Langflow in a container with a read-only root filesystem and a single writable volume for knowledge base data
  • Disable or firewall the /api/v1/knowledge_bases endpoint where it is not required
bash
# Example: run Langflow container with read-only root and scoped writable volume
docker run -d \
  --name langflow \
  --read-only \
  --tmpfs /tmp \
  -v /srv/langflow/data:/app/data:rw \
  -u 1500:1500 \
  -p 7860:7860 \
  langflowai/langflow:1.9.0

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.