CVE-2026-42867 Overview
CVE-2026-42867 is a path traversal vulnerability [CWE-22] affecting Langflow, an open-source tool for building and deploying AI-powered agents and workflows. The flaw resides in the Knowledge Bases API endpoint POST /api/v1/knowledge_bases. User-supplied knowledge base names are used directly to construct file paths without sanitization or containment checks. An authenticated attacker can create directories and write files anywhere on the server's filesystem. The issue affects all Langflow versions prior to 1.9.0 and is fixed in release 1.9.0.
Critical Impact
Authenticated attackers can write arbitrary files outside the intended knowledge base directory, enabling configuration tampering, persistence, and potential code execution paths on the host running Langflow.
Affected Products
- Langflow versions prior to 1.9.0
- Langflow self-hosted deployments exposing the Knowledge Bases API
- Containerized Langflow instances using default storage paths
Discovery Timeline
- 2026-06-23 - CVE-2026-42867 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-42867
Vulnerability Analysis
The vulnerability exists in the Knowledge Bases API at POST /api/v1/knowledge_bases. Langflow accepts a knowledge base name from the request body and concatenates it into a filesystem path used to persist knowledge base assets. The code does not normalize the name, reject path separators, or verify that the resolved path remains inside the intended storage directory.
An authenticated attacker can submit a name containing traversal sequences such as ../../ or absolute path components. Langflow then creates directories and writes files at the attacker-controlled location with the privileges of the Langflow process. Outcomes include overwriting configuration files, planting startup scripts, and writing into web-accessible directories.
The attack requires authentication but no user interaction. In deployments where account creation is open, where credentials are shared across teams, or where Langflow runs behind weak access controls, the authentication barrier provides limited protection.
Root Cause
The root cause is missing input validation on the knowledge base name field. The application trusts the supplied string as a safe path segment and fails to apply canonicalization or a containment check against the base storage directory. This pattern is classified under [CWE-22] Improper Limitation of a Pathname to a Restricted Directory.
Attack Vector
Exploitation is performed over the network against the Langflow HTTP API. The attacker authenticates, then issues a crafted POST /api/v1/knowledge_bases request with a name value containing traversal sequences. The server resolves the path outside the storage root and creates the attacker-controlled directory and files. No exploit code is publicly available at the time of publication.
Refer to the GitHub Security Advisory GHSA-79ph-745m-6wxq and the GitHub Pull Request #12337 for the upstream fix details.
Detection Methods for CVE-2026-42867
Indicators of Compromise
- Requests to POST /api/v1/knowledge_bases containing .., %2e%2e, or absolute path characters in the name field
- New files or directories appearing outside the configured Langflow knowledge base storage path
- Unexpected writes to system directories, web roots, or user home directories by the Langflow service account
- Modifications to Langflow configuration files or startup scripts following knowledge base API activity
Detection Strategies
- Inspect HTTP request bodies to the Knowledge Bases endpoint for path traversal patterns and reject them at a reverse proxy or WAF
- Correlate API access logs with filesystem audit logs to identify writes outside the expected storage directory
- Alert on any directory creation by the Langflow process outside its designated data path
Monitoring Recommendations
- Enable filesystem auditing (auditd on Linux) on directories adjacent to the Langflow storage path
- Forward Langflow application and access logs to a centralized log platform for retention and query
- Baseline normal knowledge base naming conventions and alert on deviations
How to Mitigate CVE-2026-42867
Immediate Actions Required
- Upgrade Langflow to version 1.9.0 or later, which contains the official fix
- Restrict network access to the Langflow API to trusted users and networks until patching is complete
- Audit existing knowledge base directories for entries with suspicious or traversal-style names
- Review filesystem activity by the Langflow service account for unauthorized writes
Patch Information
The vulnerability is fixed in Langflow 1.9.0. The upstream patch is available in GitHub Pull Request #12337 and documented in the GitHub Security Advisory GHSA-79ph-745m-6wxq. Operators should apply the upgrade rather than rely on workarounds.
Workarounds
- Place Langflow behind a reverse proxy that rejects requests containing path traversal characters in JSON request bodies
- Run Langflow under a dedicated low-privilege user account with write access limited to the storage directory
- Deploy Langflow in a container with a read-only root filesystem and a single writable volume for knowledge base data
- Disable or firewall the /api/v1/knowledge_bases endpoint where it is not required
# Example: run Langflow container with read-only root and scoped writable volume
docker run -d \
--name langflow \
--read-only \
--tmpfs /tmp \
-v /srv/langflow/data:/app/data:rw \
-u 1500:1500 \
-p 7860:7860 \
langflowai/langflow:1.9.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

