Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Requires authenticated session (PR:L); arbitrary server-path file write warrants I:H; no read primitive means C:N.
Primary rating from Vendor (https://github.com/langflow-ai/langflow).
CVSS VectorVendor: https://github.com/langflow-ai/langflow
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Summary
Langflow is vulnerable to Path Traversal in the Knowledge Bases API (POST /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are used directly to create file paths without proper sanitization or containment checks. An authenticated attacker can exploit this flaw to create directories and write files anywhere on the server's filesystem.
Details
The vulnerability exists in the create_knowledge_base function within src/backend/base/langflow/api/v1/knowledge_bases.py.
This function constructs file paths directly from the user-supplied name field without sanitization. The value is concatenated with the user's base directory and passed directly to kb_path.mkdir(). Immediately following the directory creation, the application writes embedding_metadata.json and schema.json into this attacker-controlled path.
PoC (Proof of Concept)
For the Create endpoint, an attacker can supply traversal sequences or absolute paths in the name field:
../victim_user/evil_kb or /tmp/pwned
This forces kb_path.mkdir() to create directories and write specific application files (embedding_metadata.json and schema.json) at any reachable path on the server.
Impact
Any Langflow instance exposing this endpoint to authenticated users is vulnerable. This exposes the server to:
- Cross-user data compromise: Creation of directories and files within another tenant's knowledge base space.
- Arbitrary filesystem manipulation: Directory creation at any path on the server where the application has write permissions (e.g.,
/app/data). - Data overwrite: Overwriting existing
embedding_metadata.jsonandschema.jsonfiles in attacker-targeted paths, potentially corrupting existing knowledge bases.
Fixes
The issue was addressed in PR #12337. The fix introduces the _validate_kb_path_containment() helper function, which uses Path.is_relative_to() instead of startswith() to enforce strict path boundaries and prevent prefix-ambiguity bugs. This helper is applied before any filesystem operations. Regression tests were added to verify that traversal payloads return a 403 Forbidden.
Acknowledgements
Thanks to the security researchers who responsibly disclosed this vulnerability:
- @ddlxstudio
- @nekros1xx
AnalysisAI
Path traversal in Langflow's Knowledge Bases API (POST /api/v1/knowledge_bases) allows authenticated users to create directories and write controlled JSON files outside their designated storage boundary anywhere on the server filesystem. Versions up to and including langflow 1.8.4 (pip) are confirmed affected; the root cause is the unsanitized use of a user-supplied name field in path construction within create_knowledge_base. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a valid authenticated session on the Langflow instance - the `POST /api/v1/knowledge_bases` endpoint requires authentication, and the CVSS PR:N assignment in the provided vector conflicts with the advisory's explicit statement of 'authenticated attacker'; authentication is a firm prerequisite. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L, score 6.5) contains a material discrepancy: PR:N implies unauthenticated exploitation, but the GHSA advisory explicitly requires a valid authenticated session. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Langflow user sends a POST request to `/api/v1/knowledge_bases` with `{"name": "../victim_user/evil_kb", ...}` in the JSON body. The unpatched server constructs a resolved path outside the attacker's user directory, calls `Path.mkdir()` to create the target directory, then writes `embedding_metadata.json` and `schema.json` into it - silently overwriting any existing metadata files in a co-located victim tenant's knowledge base. … |
| Remediation | Upgrade langflow to version 1.9.0 or later, which incorporates the fix from PR #12337 (https://github.com/langflow-ai/langflow/pull/12337). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38518
GHSA-79ph-745m-6wxq