This post is a research article published by [EQSTLab](https://github.com/EQSTLab). **Thanks to [Yahia Hamza](https://yh.do), who reported and analyzed this vulnerability.** # CVE-2026-5027 ★ CVE-2026-5027 Langflow Path Traversal / Arbitrary File Write PoC ★
## Description CVE-2026-5027 : Langflow Arbitrary File Write Vulnerability description: A path traversal vulnerability in Langflow <= 1.8.4 allows attackers to write arbitrary files outside the intended upload directory via a crafted multipart `filename` supplied to the `/api/v2/files` endpoint. In deployments where auto-login is enabled or authentication is otherwise weakly enforced, this issue may be leveraged to achieve remote code execution by writing attacker-controlled content to sensitive filesystem locations.
## Lab Setup Build and run the vulnerable environment using Docker: ### Build Image ```sh docker build -t cve-2026-5027 . ``` ### Run Container ```sh docker run --rm -it -p 9013:7860 --name cve-2026-5027 cve-2026-5027 ```
## How to use ### Execute ```sh # Non-destructive validation (proof file) python3 CVE-2026-5027.py -t # Validation with authenticated mode python3 CVE-2026-5027.py -t -u -p ```
## Analysis **Vulnerable Endpoint** ```http POST /api/v2/files ``` The issue exists because the upload functionality trusts the multipart `filename` value provided by the client. Instead of generating a safe server-side storage name or constraining the resolved path to a dedicated upload directory, the vulnerable code path allows traversal sequences such as `../` to influence the final destination path. As a result, an attacker can escape the intended storage root and force the application to write files to arbitrary locations on the server filesystem. A representative exploitation flow is as follows: 1. Obtain an access token through normal login or an auto-login-enabled deployment. 2. Submit a multipart upload request to `/api/v2/files`. 3. Supply a crafted `filename` containing path traversal sequences. 4. Cause Langflow to write attacker-controlled content outside the expected storage directory. This is fundamentally a **CWE-22: Improper Limitation of a Pathname to a Restricted Directory** issue. ### Technical Root Cause The security flaw is caused by insufficient sanitization and validation of user-controlled file paths during upload handling. The application accepts the original client filename and passes it into the storage workflow without adequately enforcing path normalization and containment. From a defensive standpoint, the dangerous pattern is conceptually similar to the following: ```python save_path = base_dir / file.filename ``` If `file.filename` contains path traversal components such as: ```text ../../../../tmp/poc.txt ``` the final resolved path may point outside `base_dir`, enabling arbitrary file write. ### Why This Matters Arbitrary file write vulnerabilities are often more severe than standard unrestricted upload issues because the attacker controls not only the file contents, but also the destination path. Depending on the runtime privileges of the Langflow process, this may enable: - overwrite of application files - modification of startup or scheduled task files - persistence through shell initialization or key files - escalation from arbitrary file write to remote code execution
## Scenario Attacker --(Obtain access token or abuse auto-login)--> Langflow `/api/v2/files` --(Supply crafted multipart filename with `../`)--> Arbitrary file write outside upload directory --(Write to sensitive location)--> Potential Remote Code Execution
## Disclaimer This repository is not intended to facilitate unauthorized exploitation of Langflow instances. The purpose of this project is to help security researchers, defenders, and developers understand the vulnerability, validate exposure in controlled environments, and apply effective mitigations.
## References https://www.tenable.com/security/research/tra-2026-26 https://www.cve.org/CVERecord?id=CVE-2026-5027 https://github.com/yahiahamza/CVE-2026-5027 https://github.com/langflow-ai/langflow