Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
IBM Langflow Desktop <=1.8.4 Langflow could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
AnalysisAI
Path traversal in IBM Langflow Desktop versions 1.8.4 and earlier allows authenticated remote attackers to read arbitrary files on the system by crafting URLs containing directory traversal sequences (/../). The vulnerability affects the file handling mechanism and could expose sensitive configuration, source code, or other confidential files accessible to the Langflow process. A vendor-released patch is available.
Technical ContextAI
IBM Langflow Desktop is a visual development platform for building language model applications. The vulnerability stems from insufficient input validation on URL path parameters, failing to sanitize or reject directory traversal sequences (/../) before processing file access requests. This is a classic CWE-22 Path Traversal vulnerability where the application does not properly restrict user-supplied file paths to intended directories. The affected component handles HTTP requests containing specially crafted paths, and the web framework or file serving logic does not canonicalize paths or implement proper directory boundaries. CPE cpe:2.3:a:ibm:langflow_desktop:*:*:*:*:*:*:*:* indicates all versions up to and including 1.8.4 are vulnerable.
RemediationAI
Upgrade IBM Langflow Desktop to the patched version provided by IBM via the vendor advisory at https://www.ibm.com/support/pages/node/7271094. Exact patched version is not specified in the provided data; consult the IBM support page for the recommended upgrade path. As an interim control pending patch deployment, restrict network access to Langflow Desktop using firewall rules or network segmentation to limit access to trusted users and systems only. Disable or limit access to file browsing or file serving endpoints if they are not essential to application functionality. Monitor and log all HTTP requests to Langflow Desktop, particularly those containing path traversal patterns (../, ..\, percent-encoded variants %2e%2e) for early detection of exploitation attempts. Authenticate user sessions and enforce principle of least privilege for the Langflow process user account to minimize the sensitivity of readable files.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26441