Which versions of Langflow are affected by CVE-2026-5026?

Langflow versions prior to a fix release contain a stored cross-site scripting (XSS) vulnerability in the image serving endpoint that allows authenticated users to upload malicious SVG files and…

How to fix or mitigate CVE-2026-5026?

Within 24 hours: Disable or restrict SVG file uploads in Langflow's file handling configuration; review access logs for suspicious SVG uploads to the '/api/v1/files/images/' endpoint in the past 30 days. Within 7 days: Audit all uploaded SVG files in production and staging environments; invalidate and rotate JWT tokens for all users who accessed Langflow during the review period. Within 30 days: Implement strict SVG content validation (remove script tags and event handlers before storage); apply vendor-released patch immediately upon availability; deploy a Web Application Firewall rule to block SVG uploads or serve them with 'Content-Disposition: attachment' header.

Langflow CVE-2026-5026

Q: What is the CVSS score of CVE-2026-5026?

CVE-2026-5026 has a CVSS 4.0 base score of 7.0 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-16666 HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-03-27 vulnreport@tenable.com

GHSA-89f7-r7x8-83q7

XSS Langflow

7.0

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

7.0 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Analysis Updated

Apr 20, 2026 - 13:28 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 20, 2026 - 13:22 vuln.today

cvss_changed

EUVD ID Assigned

Mar 27, 2026 - 15:22 euvd

EUVD-2026-16666

Analysis Generated

Mar 27, 2026 - 15:22 vuln.today

CVE Published

Mar 27, 2026 - 15:17 nvd

HIGH 7.0

DescriptionCVE.org

The '/api/v1/files/images/{flow_id}/{file_name}' endpoint serves SVG files with the 'image/svg+xml' content type without sanitizing their content.

Since SVG files can contain embedded JavaScript, an attacker can upload a malicious SVG that executes arbitrary JavaScript when viewed by other users, leading to stored cross-site scripting (XSS). This allows stealing authentication tokens stored in cookies, including JWT access and refresh tokens.

AnalysisAI

{flow_id}/{file_name}' endpoint serves user-uploaded SVG files with 'image/svg+xml' content type without sanitization, enabling embedded JavaScript execution in victim browsers. Authenticated attackers with low privileges can upload crafted SVGs that execute in other users' contexts, exfiltrating JWT access and refresh tokens from cookies. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Authenticate to Langflow

Delivery

Create flow with malicious SVG upload

Exploit

Embed SVG in flow component

Install

Social engineer victim to view flow

Browser renders SVG with script execution

Execute

Exfiltrate JWT tokens from cookies

Impact

Attacker achieves account takeover