CRITICAL🇵🇱 Wersja polska

CVE-2026-33309

CVSS 9.9v3.1pub. 2026-03-24

Langflow is a tool for building and deploying AI-powered agents and workflows. Versions 1.2.0 through 1.8.1 have a bypass of the patch for CVE-2025-68478 (External Control of File Name), leading to the root architectural issue within `LocalStorageService` remaining unresolved. Because the underlying storage layer lacks boundary containment checks, the system relies entirely on the HTTP-layer `ValidatedFileName` dependency. This defense-in-depth failure leaves the `POST /api/v2/files/` endpoint vulnerable to Arbitrary File Write. The multipart upload filename bypasses the path-parameter guard, allowing authenticated attackers to write files anywhere on the host system, leading to Remote Code Execution (RCE). Version 1.9.0 contains an updated fix.

🤖 AI Analysis
How it works

The defense mechanism based solely on file name validation at the HTTP layer (dependency `ValidatedFileName`) can be bypassed by an appropriately crafted file name in a multipart upload request directed to the `POST /api/v2/files/` endpoint. The data storage layer (`LocalStorageService`) does not independently perform any path boundary containment checks, which constitutes an architectural flaw in the system. As a result, an attacker can perform path traversal and write a file to any location on the server, bypassing the path parameter protection. Writing a malicious file to an appropriate system location then enables arbitrary code execution (RCE).

Impact

An authenticated attacker can write arbitrary files to a chosen location on the host, which consequently leads to Remote Code Execution (RCE) and complete compromise of system confidentiality, integrity, and availability.

Mitigation & patch

Update Langflow to version 1.9.0, which contains improved security implementation. Apply boundary containment checks directly in the `LocalStorageService` layer, rather than relying solely on HTTP validation.

Who is affected

Langflow in versions 1.2.0 to 1.8.1 (inclusive)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Langflow

    APP
    Langflow
    1.2.0 – 1.9.0 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath Traversal
CWE
References

Related vulnerabilities

CVE-2026-33017CRITICAL9.3⚠ KEVPL ✓ten sam produkt

Langflow: nieuwierzytelniony RCE przez endpoint budowania publicznych przepływów

CVE-2025-34291CRITICAL9.4⚠ KEVPL ✓ten sam produkt

Langflow: przejęcie konta i RCE przez błędną konfigurację CORS

CVE-2025-3248CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Nieuwierzytelnione RCE w Langflow poprzez wstrzyknięcie kodu w endpoint /api/v1/validate/code

CVE-2026-10140CRITICAL9.6ten sam produkt

IBM Langflow OSS 1.0.0 through 1.10.0 voice mode contains improper shared-state handling that allows reuse of ...

CVE-2026-10134CRITICAL10.0ten sam produkt

IBM Langflow OSS 1.0.0 through 1.9.3 allows an attacker to read every secret available to the Langflow process...