On June 8, 2026, VulnCheck’s Canary sensors detected the first in-the-wild exploitation of CVE-2026-5027 — a path traversal vulnerability in Langflow that allows unauthenticated remote code execution. The flaw was added to the Known Exploited Vulnerabilities (KEV) list that same day.
The patch has been available since April 15, 2026.
If you’re running Langflow and you haven’t updated in the last two months, you are likely vulnerable. Censys identified approximately 7,000 Langflow instances publicly reachable on the internet, with the heaviest concentration in North America.
What Langflow Is
Langflow is an open-source visual platform for building AI applications. Drag-and-drop canvas, no-code component wiring, support for RAG pipelines, agentic workflows, and MCP-based integrations. It’s popular with builders who want to prototype quickly without writing orchestration code from scratch.
That popularity is exactly why 7,000 instances are exposed and why attackers are targeting it now.
The Vulnerability
CVE-2026-5027 (CVSS 8.8 — High)
The flaw lives in Langflow’s file upload endpoint: POST /api/v2/files.
The endpoint accepts a multipart form upload with a filename parameter. The application does not sanitize that parameter. An attacker can supply a filename containing path traversal sequences (../../../) to write files to arbitrary locations on the host filesystem — outside the intended upload directory.
Writing arbitrary files to a server is a path to remote code execution. Drop a cron job. Overwrite a startup script. Write a shell to a web-accessible directory. The specific technique varies, but the primitive (write any file, anywhere) is sufficient.
The unauthenticated part
Langflow ships with auto-login enabled by default. On a fresh installation with default settings, a single unauthenticated HTTP request is enough to obtain a valid session token. No credentials required.
That means the full exploit chain — from zero knowledge to arbitrary file write — requires one HTTP request to /api/v2/files from anywhere on the internet. No prior access, no credentials, no social engineering.
Who Is Exposed
Censys scans show approximately 7,000 Langflow instances publicly reachable on the internet as of the exploitation window.
Langflow is primarily a development tool — most deployments should not be internet-facing. The 7,000 exposed instances reflect a common pattern: developers spin up a tool for internal use, bind it to 0.0.0.0 for convenience, and forget to restrict access later.
The exploitation activity VulnCheck observed included test file writes — attackers verifying that the path traversal works — which suggests active scanning and confirmation, not just opportunistic noise.
The Patch Timeline
| Date | Event |
|---|---|
| April 15, 2026 | Langflow 1.9.0 released, patches CVE-2026-5027 |
| June 8, 2026 | First in-the-wild exploitation detected |
| June 8, 2026 | VulnCheck adds CVE-2026-5027 to KEV list |
| June 13, 2026 | 7,000 instances still exposed |
The patch shipped 59 days before exploitation began. The window for prevention has passed; the window for remediation is now.
Builder Action Checklist
Step 1 — Check your version
langflow --version
If you’re running anything below 1.9.0, you’re vulnerable.
If Langflow runs as a service or in a container, check the package version:
pip show langflow
# or
pip show langflow-base
Step 2 — Update immediately
pip install --upgrade langflow
Verify afterward:
langflow --version
# Should show 1.9.0 or higher
If you’re running a containerized deployment, pull the latest image:
docker pull langflowai/langflow:latest
Confirm the image version matches 1.9.0+ before redeploying.
Step 3 — Disable auto-login
Even on a patched instance, auto-login is a bad default for anything you intend to operate longer-term.
In langflow.env or your environment config:
LANGFLOW_AUTO_LOGIN=false
LANGFLOW_SUPERUSER=your_admin_username
LANGFLOW_SUPERUSER_PASSWORD=a_strong_password
After setting these, restart Langflow. Access will now require authentication.
Step 4 — Remove public exposure
Langflow is a development tool. It should not be bound to a public interface.
If you need remote access to a Langflow instance, use a VPN or SSH tunnel. Don’t expose port 7860 (Langflow’s default) to the internet.
Verify with:
# Check what's listening on 7860
ss -tlnp | grep 7860
# Or
netstat -tlnp | grep 7860
If the output shows 0.0.0.0:7860 rather than 127.0.0.1:7860, your instance is reachable from outside. Bind to localhost or put it behind a firewall.
Step 5 — Audit for signs of compromise
If you’ve been running a vulnerable version exposed to the internet, assume you may have been hit. Check for:
Unexpected files in web-accessible or system directories:
# Recent file writes (adjust path to your Langflow root)
find /var /tmp /opt /home -newer /tmp/check_date -type f 2>/dev/null
New or modified cron jobs:
crontab -l
ls -la /etc/cron* /var/spool/cron/
New user accounts or modified sudoers:
grep -v "^#" /etc/passwd | tail -20
grep -v "^#" /etc/sudoers 2>/dev/null
Unexpected outbound connections:
ss -tnp | grep ESTABLISHED
If anything looks unfamiliar, treat the host as compromised. Isolate, preserve logs, and rebuild from a known-good snapshot.
The Broader Pattern
This is the second AI development framework to face active exploitation of a known vulnerability in 2026. OpenClaw’s CVE catalog passed 454 entries last month. Langflow’s exposure is more contained — one high-severity flaw, a patch available — but the pattern is the same: AI tooling is now a target surface.
The tools builders use to build AI applications are themselves AI-adjacent attack vectors. A compromised Langflow instance doesn’t just lose your workflow definitions. It has access to whatever API keys you’ve configured — model provider credentials, vector database connections, MCP server tokens.
The lesson from CVE-2026-5027 isn’t “don’t use Langflow.” The lesson is that AI development tools need the same update cadence as production software. A 59-day lag between patch release and exploitation is not unusual in the broader vulnerability landscape, but it’s a lag that matters when the tool has credentials stored in it.
Summary
- CVE-2026-5027: Path traversal in
POST /api/v2/files→ arbitrary file write → unauthenticated RCE - Affected versions: Langflow < 1.9.0
- Fixed in: Langflow 1.9.0 (April 15, 2026)
- Active exploitation: Started June 8, 2026 (added to KEV same day)
- Exposed instances: ~7,000 publicly reachable (Censys)
- Immediate action: Update to 1.9.0+, disable auto-login, remove public exposure
If you run Langflow anywhere — local dev, internal server, cloud VM — check your version today.
ChatForest researches and reports on AI tools and infrastructure. This article is based on public vulnerability disclosures, security research from VulnCheck, BleepingComputer, and The Hacker News, and Censys internet scan data.