Skip to main content

Langflow CVE-2026-42048

CRITICAL
Path Traversal (CWE-22)
2026-05-05 https://github.com/langflow-ai/langflow GHSA-9whx-c884-c68q
9.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 05, 2026 - 19:01 vuln.today
Analysis Generated
May 05, 2026 - 19:01 vuln.today

DescriptionGitHub Advisory

Summary

Langflow is vulnerable to Path Traversal in the Knowledge Bases API (DELETE /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are concatenated directly into file paths without proper sanitization or boundary validation. An authenticated attacker can exploit this flaw to delete arbitrary directories anywhere on the server's filesystem, leading to data loss and potential service disruption.

Details

The vulnerability exists in the delete_knowledge_bases_bulk function within src/backend/base/langflow/api/v1/knowledge_bases.py.

This function constructs file paths directly from the user-supplied kb_names parameter. While other knowledge base endpoints safely route through standard path resolution (e.g., _resolve_kb_path()), the bulk delete handler bypasses this entirely. It builds the path manually and passes it directly to shutil.rmtree() without validating if the resulting path resolves outside the intended user directory.

PoC (Proof of Concept)

For the Bulk Delete endpoint, an authenticated attacker can supply a traversal sequence in the kb_names parameter: ../victim_user/kb_name

Because the path is passed directly to shutil.rmtree() without containment checks, this payload deletes directories outside the intended scope.

Impact

Any Langflow instance exposing this endpoint to authenticated users is vulnerable. This exposes the server to:

  • Cross-user data compromise: Deletion of directories within another tenant's knowledge base space.
  • Arbitrary filesystem manipulation: Directory deletion at any path on the server where the application has write permissions.
  • Service disruption & Data Loss: Deletion of critical application files or unrecoverable data loss if backups are co-located on the same filesystem.

Fixes

The issue was addressed in PR #12243, which applies Path.resolve() to normalize the supplied path and validates that it starts with the authenticated user's directory before deletion. Subsequent updates (backported from PR #12337) introduced robust containment checks using Path.is_relative_to() to prevent prefix-ambiguity bugs.

Acknowledgements

Thanks to the security researchers who responsibly disclosed this vulnerability:

  • @ddlxstudio
  • @nekros1xx

AnalysisAI

Path traversal in Langflow's Knowledge Bases API allows authenticated attackers to delete arbitrary directories on the server filesystem via crafted DELETE requests to /api/v1/knowledge_bases. The vulnerability (CVSS 9.6, Critical) stems from insufficient input validation in the delete_knowledge_bases_bulk function, which passes user-supplied knowledge base names directly to shutil.rmtree() without path containment checks. Publicly available exploit code exists (PoC disclosed in GHSA-9whx-c884-c68q), enabling cross-tenant data destruction and service disruption. Fixed in version 1.9.0 via PR #12243.

Technical ContextAI

Langflow is a Python-based low-code platform for building LangChain applications, distributed via PyPI. The vulnerability manifests in the Knowledge Bases REST API endpoint (DELETE /api/v1/knowledge_bases) within src/backend/base/langflow/api/v1/knowledge_bases.py. Unlike other knowledge base operations that use _resolve_kb_path() for safe path resolution, the delete_knowledge_bases_bulk function manually constructs filesystem paths by concatenating user-controlled kb_names parameters directly into Path objects without boundary validation. This classic CWE-22 (Path Traversal) flaw occurs because the code fails to canonicalize paths or verify containment within the authenticated user's designated directory before invoking Python's shutil.rmtree() for recursive directory deletion. The Changed scope (S:C) in the CVSS vector reflects the multi-tenant architecture where one user's actions can impact resources belonging to other users or the underlying system.

RemediationAI

Upgrade to Langflow version 1.9.0 or later, which contains the fix introduced in PR #12243 and hardened in PR #12337. The patch applies Path.resolve() to normalize user-supplied paths and validates containment using Path.is_relative_to() before deletion operations. Installation: pip install --upgrade langflow>=1.9.0. Verify the fix by checking that src/backend/base/langflow/api/v1/knowledge_bases.py includes the updated delete_knowledge_bases_bulk implementation with path boundary validation. For environments unable to upgrade immediately, implement network-level access controls to restrict the /api/v1/knowledge_bases endpoint to trusted IP ranges or disable the bulk delete functionality entirely by removing the DELETE route from API configurations. Note that authentication alone does not mitigate this vulnerability-all authenticated users can exploit it. Consult the vendor advisory at https://github.com/langflow-ai/langflow/security/advisories/GHSA-9whx-c884-c68q for additional guidance.

Share

CVE-2026-42048 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy