CVE-2026-55447 Overview
CVE-2026-55447 is an arbitrary file read vulnerability in Langflow, an open-source platform for building and deploying AI-powered agents and workflows. Versions prior to 1.9.2 allow an attacker who controls files ingested into Retrieval-Augmented Generation (RAG) pipelines to direct file-handling components to read any file on the host filesystem by absolute path. The flaw affects all components that inherit from BaseFileComponent, including DoclingInlineComponent, DoclingRemoteComponent, FileComponent, NvidiaIngestComponent, VideoFileComponent, and UnstructuredComponent. Maintainers fixed the issue in Langflow 1.9.2.
Critical Impact
Attackers can read arbitrary files from the Langflow host, including secrets, configuration files, and private keys, by abusing RAG ingestion components.
Affected Products
- Langflow versions prior to 1.9.2
- All components inheriting from BaseFileComponent (Docling, Docling Serve, Read File, NVIDIA Retriever Extraction, Video File, Unstructured API)
- Langflow deployments exposing file ingestion or RAG workflows to untrusted input
Discovery Timeline
- 2026-06-23 - CVE-2026-55447 published to NVD
- 2026-06-24 - Last updated in NVD database
Technical Details for CVE-2026-55447
Vulnerability Analysis
The vulnerability resides in Langflow's BaseFileComponent, the parent class used by every file-ingestion node in the platform. When a flow processes files for RAG indexing, the component resolves file paths supplied through the workflow without restricting them to a safe working directory. An attacker who can influence file inputs, through a flow definition, an API call, or a multi-tenant interface, can substitute absolute filesystem paths that the node then opens and digests.
Because every downstream file reader inherits this behavior, the impact extends across the Docling parsers, the standard Read File node, NVIDIA's retriever extraction component, the video file loader, and the Unstructured API connector. The ingested file contents are then surfaced through the workflow output or written into the vector store, exposing sensitive data to the attacker.
Root Cause
The component trusts caller-supplied path strings and does not enforce a chroot, allowlist, or path-normalization check before opening the target file. This pattern is classified under CWE-61, UNIX Symbolic Link Following, and is closely related to path traversal weaknesses.
Attack Vector
Exploitation requires network access to a Langflow instance and minimal user interaction to trigger the affected flow. An attacker submits or modifies a flow so that a BaseFileComponent reads an absolute path such as /etc/passwd, /root/.ssh/id_rsa, /proc/self/environ, or application configuration containing API keys. The component returns the file contents into the RAG pipeline, where the attacker retrieves them through subsequent retrieval queries or chain outputs. No authentication is required on instances that expose flow execution publicly.
No public proof-of-concept exploit is listed in the advisory. See the GitHub Security Advisory GHSA-ccv6-r384-xp75 for vendor technical details.
Detection Methods for CVE-2026-55447
Indicators of Compromise
- Langflow component logs referencing absolute paths outside the application's working directory, such as /etc/, /root/, /var/, or Windows paths under C:\Windows\ or user profile directories.
- Vector store entries or flow outputs containing the contents of system files, SSH keys, or environment variables.
- Unexpected file-open syscalls originating from the Langflow process targeting sensitive locations.
Detection Strategies
- Audit stored Langflow flow definitions for BaseFileComponent nodes whose path field references absolute paths or values supplied from untrusted inputs.
- Inspect web access logs for API calls that create or modify flows containing file components shortly before unusual file reads.
- Compare embedded document content in the RAG store against an allowlist of expected source directories.
Monitoring Recommendations
- Enable filesystem audit logging (auditd, Sysmon, or eBPF-based monitors) on the Langflow host and alert on reads of /etc/shadow, ~/.ssh/, cloud credential files, and .env files by the Langflow service account.
- Forward Langflow application logs to a central SIEM and correlate flow-execution events with sensitive file access.
- Track outbound data volume from Langflow workers to detect bulk exfiltration of harvested file contents.
How to Mitigate CVE-2026-55447
Immediate Actions Required
- Upgrade Langflow to version 1.9.2 or later on every host, container image, and Helm deployment.
- Restrict network exposure of Langflow to authenticated, trusted users until the upgrade is verified.
- Review all existing flows for BaseFileComponent usage and remove or sanitize untrusted path inputs.
- Rotate any credentials, API keys, or SSH keys that were readable by the Langflow process while running a vulnerable version.
Patch Information
The vulnerability is fixed in Langflow 1.9.2. Refer to the Langflow pull request #12945 for the code change and the GHSA-ccv6-r384-xp75 advisory for vendor guidance.
Workarounds
- Run Langflow as a low-privilege user inside a container with a read-only root filesystem and bind-mount only the directories required for ingestion.
- Apply mandatory access controls (AppArmor, SELinux) that confine the Langflow process to a dedicated data directory.
- Place Langflow behind an authenticating reverse proxy and disable anonymous flow creation or execution.
- Use network egress controls to prevent the Langflow host from sending harvested data to attacker-controlled endpoints.
# Configuration example: upgrade Langflow and run with a constrained data directory
pip install --upgrade "langflow>=1.9.2"
# Run Langflow in a container with a restricted bind mount
docker run --rm \
--read-only \
--user 1000:1000 \
-v /srv/langflow/data:/app/data:rw \
-p 7860:7860 \
langflowai/langflow:1.9.2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

