Skip to main content

Langflow EUVDEUVD-2026-38518

| CVE-2026-42867 MEDIUM
Path Traversal (CWE-22)
2026-06-16 https://github.com/langflow-ai/langflow GHSA-79ph-745m-6wxq
6.5
CVSS 3.1 · Vendor: https://github.com/langflow-ai/langflow
Share

Severity by source

Vendor (https://github.com/langflow-ai/langflow) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
7.1 HIGH

Requires authenticated session (PR:L); arbitrary server-path file write warrants I:H; no read primitive means C:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/langflow-ai/langflow).

CVSS VectorVendor: https://github.com/langflow-ai/langflow

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 16, 2026 - 18:24 vuln.today
Analysis Generated
Jun 16, 2026 - 18:24 vuln.today

DescriptionCVE.org

Summary

Langflow is vulnerable to Path Traversal in the Knowledge Bases API (POST /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are used directly to create file paths without proper sanitization or containment checks. An authenticated attacker can exploit this flaw to create directories and write files anywhere on the server's filesystem.

Details

The vulnerability exists in the create_knowledge_base function within src/backend/base/langflow/api/v1/knowledge_bases.py.

This function constructs file paths directly from the user-supplied name field without sanitization. The value is concatenated with the user's base directory and passed directly to kb_path.mkdir(). Immediately following the directory creation, the application writes embedding_metadata.json and schema.json into this attacker-controlled path.

PoC (Proof of Concept)

For the Create endpoint, an attacker can supply traversal sequences or absolute paths in the name field:

../victim_user/evil_kb or /tmp/pwned

This forces kb_path.mkdir() to create directories and write specific application files (embedding_metadata.json and schema.json) at any reachable path on the server.

Impact

Any Langflow instance exposing this endpoint to authenticated users is vulnerable. This exposes the server to:

  • Cross-user data compromise: Creation of directories and files within another tenant's knowledge base space.
  • Arbitrary filesystem manipulation: Directory creation at any path on the server where the application has write permissions (e.g., /app/data).
  • Data overwrite: Overwriting existing embedding_metadata.json and schema.json files in attacker-targeted paths, potentially corrupting existing knowledge bases.

Fixes

The issue was addressed in PR #12337. The fix introduces the _validate_kb_path_containment() helper function, which uses Path.is_relative_to() instead of startswith() to enforce strict path boundaries and prevent prefix-ambiguity bugs. This helper is applied before any filesystem operations. Regression tests were added to verify that traversal payloads return a 403 Forbidden.

Acknowledgements

Thanks to the security researchers who responsibly disclosed this vulnerability:

  • @ddlxstudio
  • @nekros1xx

AnalysisAI

Path traversal in Langflow's Knowledge Bases API (POST /api/v1/knowledge_bases) allows authenticated users to create directories and write controlled JSON files outside their designated storage boundary anywhere on the server filesystem. Versions up to and including langflow 1.8.4 (pip) are confirmed affected; the root cause is the unsanitized use of a user-supplied name field in path construction within create_knowledge_base. A public proof-of-concept is included in the GHSA advisory, lowering the exploitation bar considerably, though no CISA KEV listing confirms active widespread exploitation at time of analysis.

Technical ContextAI

The flaw is classified as CWE-22 (Path Traversal) and resides in src/backend/base/langflow/api/v1/knowledge_bases.py in the create_knowledge_base function. The function builds a filesystem path by concatenating the server's KB root, the authenticated user's identifier, and the attacker-controlled name field, then passes the result directly to Python's Path.mkdir() with no prior call to .resolve() or containment validation. Python's pathlib semantics allow two distinct bypass primitives: supplying a relative traversal sequence (e.g., ../victim_user/evil_kb) exits the intended directory, while supplying an absolute path (e.g., /tmp/pwned) causes pathlib to silently drop all preceding path components. A subtler third variant exploits a prefix-ambiguity bug present when startswith() is used for containment - a username of alice would incorrectly permit writes to alice_evil/ because the string prefix matches. The fix in PR #12337 resolves all three variants by calling .resolve() on both the user base path and the constructed KB path before applying Path.is_relative_to(), which performs a proper hierarchical containment check rather than a string prefix comparison. Affected package is pkg:pip/langflow <= 1.8.4.

RemediationAI

Upgrade langflow to version 1.9.0 or later, which incorporates the fix from PR #12337 (https://github.com/langflow-ai/langflow/pull/12337). The patch introduces _validate_kb_path_containment(), which calls .resolve() on both the user base path and the attacker-supplied KB path before enforcing containment with Path.is_relative_to(), blocking relative traversal sequences, absolute path injection, and prefix-ambiguity bypasses. Regression tests covering all three payload classes were added and verify a 403 Forbidden response. If immediate upgrade is not feasible, operators should restrict access to POST /api/v1/knowledge_bases at the network or API gateway layer to the minimum required set of authenticated users, and consider deploying a WAF rule that rejects name field values containing .. sequences or beginning with /. Note that WAF-based input filtering is a compensating control only - it may be bypassed via URL encoding, Unicode normalization, or other obfuscation techniques - and does not substitute for patching. Consult the advisory at https://github.com/langflow-ai/langflow/security/advisories/GHSA-79ph-745m-6wxq for authoritative guidance.

Share

EUVD-2026-38518 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy