Skip to main content

IBM Langflow Desktop CVE-2026-4502

| EUVDEUVD-2026-26434 MEDIUM
Path Traversal (CWE-22)
2026-04-30 ibm
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 30, 2026 - 21:46 vuln.today
EUVD ID Assigned
Apr 30, 2026 - 21:15 euvd
EUVD-2026-26434
Analysis Generated
Apr 30, 2026 - 21:15 vuln.today
Patch released
Apr 30, 2026 - 21:15 nvd
Patch available
CVE Published
Apr 30, 2026 - 20:57 nvd
MEDIUM 6.5

DescriptionCVE.org

IBM Langflow Desktop 1.2.0 through 1.8.4 Langflow could allow an authenticated attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to write arbitrary files on the system.

AnalysisAI

Authenticated attackers can exploit a path traversal vulnerability in IBM Langflow Desktop 1.2.0 through 1.8.4 to write arbitrary files to the system by crafting URLs containing directory traversal sequences (/../). The vulnerability requires prior authentication but allows complete bypass of file system restrictions, enabling file overwrite or creation outside intended directories with no integrity protections.

Technical ContextAI

This vulnerability is rooted in improper input validation of file path parameters in HTTP requests, classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The affected product, IBM Langflow Desktop, is a visual interface for building and managing AI language flow applications. The vulnerability arises when the application constructs file system paths directly from user-supplied URL parameters without canonicalizing or validating against directory escape sequences. An attacker who has authenticated to the application can inject relative path traversal sequences (such as /../ or ..\) to navigate outside the intended base directory and access arbitrary locations in the file system where the process has write permissions.

RemediationAI

Upgrade IBM Langflow Desktop to a patched version released after 1.8.4 as specified in IBM support document node/7271097. Administrators should consult the IBM security advisory at https://www.ibm.com/support/pages/node/7271097 for exact patched version numbers and release dates. As an interim compensating control, restrict network access to the Langflow Desktop application to authorized users and networks using firewall rules or VPN enforcement - this does not eliminate the vulnerability but reduces attack surface by limiting who can attempt authentication. Additionally, run Langflow Desktop processes with the minimum required privileges (non-root/non-administrator account) to contain the impact of arbitrary file writes. Monitor file system write activity in the application's working directories for suspicious patterns indicating exploitation attempts.

Share

CVE-2026-4502 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy