Vulnerability-Lookup

CVE-2026-42867 (GCVE-0-2026-42867)

Vulnerability from cvelistv5 – Published: 2026-06-23 16:29 – Updated: 2026-06-23 17:02

Title

Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint

Summary

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API (POST /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are used directly to create file paths without proper sanitization or containment checks. An authenticated attacker can exploit this flaw to create directories and write files anywhere on the server's filesystem. This vulnerability is fixed in 1.9.0.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/langflow-ai/langflow/security/…	x_refsource_CONFIRM
https://github.com/langflow-ai/langflow/pull/12337	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
langflow-ai	langflow	Affected: < 1.9.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42867",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-23T17:01:29.364041Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-23T17:02:43.824Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-79ph-745m-6wxq"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "langflow",
          "vendor": "langflow-ai",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.9.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API (POST /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are used directly to create file paths without proper sanitization or containment checks. An authenticated attacker can exploit this flaw to create directories and write files anywhere on the server\u0027s filesystem. This vulnerability is fixed in 1.9.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-23T16:29:11.848Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-79ph-745m-6wxq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-79ph-745m-6wxq"
        },
        {
          "name": "https://github.com/langflow-ai/langflow/pull/12337",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/langflow-ai/langflow/pull/12337"
        }
      ],
      "source": {
        "advisory": "GHSA-79ph-745m-6wxq",
        "discovery": "UNKNOWN"
      },
      "title": "Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42867",
    "datePublished": "2026-06-23T16:29:11.848Z",
    "dateReserved": "2026-04-30T18:49:06.710Z",
    "dateUpdated": "2026-06-23T17:02:43.824Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-42867",
      "date": "2026-06-24",
      "epss": "0.00283",
      "percentile": "0.19879"
    },
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42867\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-23T17:01:29.364041Z\"}}}], \"references\": [{\"url\": \"https://github.com/langflow-ai/langflow/security/advisories/GHSA-79ph-745m-6wxq\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-23T17:01:48.325Z\"}}], \"cna\": {\"title\": \"Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint\", \"source\": {\"advisory\": \"GHSA-79ph-745m-6wxq\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"langflow-ai\", \"product\": \"langflow\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.9.0\"}]}], \"references\": [{\"url\": \"https://github.com/langflow-ai/langflow/security/advisories/GHSA-79ph-745m-6wxq\", \"name\": \"https://github.com/langflow-ai/langflow/security/advisories/GHSA-79ph-745m-6wxq\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/langflow-ai/langflow/pull/12337\", \"name\": \"https://github.com/langflow-ai/langflow/pull/12337\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API (POST /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are used directly to create file paths without proper sanitization or containment checks. An authenticated attacker can exploit this flaw to create directories and write files anywhere on the server\u0027s filesystem. This vulnerability is fixed in 1.9.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-23T16:29:11.848Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-42867\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-23T17:02:43.824Z\", \"dateReserved\": \"2026-04-30T18:49:06.710Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-23T16:29:11.848Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-79PH-745M-6WXQ

Vulnerability from github – Published: 2026-06-16 17:35 – Updated: 2026-06-16 17:35

Summary

Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint

Details

Summary

Langflow is vulnerable to Path Traversal in the Knowledge Bases API (POST /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are used directly to create file paths without proper sanitization or containment checks. An authenticated attacker can exploit this flaw to create directories and write files anywhere on the server's filesystem.

Details

The vulnerability exists in the create_knowledge_base function within src/backend/base/langflow/api/v1/knowledge_bases.py.

This function constructs file paths directly from the user-supplied name field without sanitization. The value is concatenated with the user's base directory and passed directly to kb_path.mkdir(). Immediately following the directory creation, the application writes embedding_metadata.json and schema.json into this attacker-controlled path.

PoC (Proof of Concept)

For the Create endpoint, an attacker can supply traversal sequences or absolute paths in the name field:

../victim_user/evil_kb or /tmp/pwned

This forces kb_path.mkdir() to create directories and write specific application files (embedding_metadata.json and schema.json) at any reachable path on the server.

Impact

Any Langflow instance exposing this endpoint to authenticated users is vulnerable. This exposes the server to: * Cross-user data compromise: Creation of directories and files within another tenant's knowledge base space. * Arbitrary filesystem manipulation: Directory creation at any path on the server where the application has write permissions (e.g., /app/data). * Data overwrite: Overwriting existing embedding_metadata.json and schema.json files in attacker-targeted paths, potentially corrupting existing knowledge bases.

Fixes

The issue was addressed in PR #12337. The fix introduces the _validate_kb_path_containment() helper function, which uses Path.is_relative_to() instead of startswith() to enforce strict path boundaries and prevent prefix-ambiguity bugs. This helper is applied before any filesystem operations. Regression tests were added to verify that traversal payloads return a 403 Forbidden.

Acknowledgements

Thanks to the security researchers who responsibly disclosed this vulnerability: * @ddlxstudio * @nekros1xx

Severity

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.8.4"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "langflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T17:35:09Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\nLangflow is vulnerable to Path Traversal in the Knowledge Bases API (`POST /api/v1/knowledge_bases`). This occurs because user-supplied knowledge base names are used directly to create file paths without proper sanitization or containment checks. An authenticated attacker can exploit this flaw to create directories and write files anywhere on the server\u0027s filesystem.\n\n## Details\nThe vulnerability exists in the `create_knowledge_base` function within `src/backend/base/langflow/api/v1/knowledge_bases.py`. \n\nThis function constructs file paths directly from the user-supplied `name` field without sanitization. The value is concatenated with the user\u0027s base directory and passed directly to `kb_path.mkdir()`. Immediately following the directory creation, the application writes `embedding_metadata.json` and `schema.json` into this attacker-controlled path.\n\n## PoC (Proof of Concept)\nFor the **Create** endpoint, an attacker can supply traversal sequences or absolute paths in the `name` field:\n\n`../victim_user/evil_kb`\nor\n`/tmp/pwned`\n\nThis forces `kb_path.mkdir()` to create directories and write specific application files (`embedding_metadata.json` and `schema.json`) at any reachable path on the server.\n\n## Impact\nAny Langflow instance exposing this endpoint to authenticated users is vulnerable. This exposes the server to:\n* **Cross-user data compromise:** Creation of directories and files within another tenant\u0027s knowledge base space.\n* **Arbitrary filesystem manipulation:** Directory creation at any path on the server where the application has write permissions (e.g., `/app/data`).\n* **Data overwrite:** Overwriting existing `embedding_metadata.json` and `schema.json` files in attacker-targeted paths, potentially corrupting existing knowledge bases.\n\n## Fixes\nThe issue was addressed in **PR #12337**. The fix introduces the `_validate_kb_path_containment()` helper function, which uses `Path.is_relative_to()` instead of `startswith()` to enforce strict path boundaries and prevent prefix-ambiguity bugs. This helper is applied before any filesystem operations. Regression tests were added to verify that traversal payloads return a `403 Forbidden`.\n\n## Acknowledgements\nThanks to the security researchers who responsibly disclosed this vulnerability:\n* @ddlxstudio\n* @nekros1xx",
  "id": "GHSA-79ph-745m-6wxq",
  "modified": "2026-06-16T17:35:09Z",
  "published": "2026-06-16T17:35:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-79ph-745m-6wxq"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/pull/12337"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langflow-ai/langflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint"
}

WID-SEC-W-2026-1898

Vulnerability from csaf_certbund - Published: 2026-06-11 22:00 - Updated: 2026-06-11 22:00

Summary

Langflow: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Langflow bietet eine visuelle Schnittstelle zum Erstellen von LLM-basierten Anwendungen.

Angriff: Ein Angreifer kann mehrere Schwachstellen in Langflow ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Daten zu manipulieren und vertrauliche Informationen offenzulegen.

Betroffene Betriebssysteme: - Sonstiges - UNIX - Windows

CVE-2026-33760

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Langflow <1.9.0 Open Source / Langflow		<1.9.0

CVE-2026-42867

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Langflow <1.9.0 Open Source / Langflow		<1.9.0

References

4 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://github.com/langflow-ai/langflow/security/…	external
https://github.com/langflow-ai/langflow/security/…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Langflow bietet eine visuelle Schnittstelle zum Erstellen von LLM-basierten Anwendungen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Langflow ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Daten zu manipulieren und vertrauliche Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1898 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1898.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1898 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1898"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-9c59-2mvc-vfr8 vom 2026-06-11",
        "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-9c59-2mvc-vfr8"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-79ph-745m-6wxq vom 2026-06-11",
        "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-79ph-745m-6wxq"
      }
    ],
    "source_lang": "en-US",
    "title": "Langflow: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-06-11T22:00:00.000+00:00",
      "generator": {
        "date": "2026-06-12T09:30:54.494+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1898",
      "initial_release_date": "2026-06-11T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-06-11T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.9.0",
                "product": {
                  "name": "Open Source Langflow \u003c1.9.0",
                  "product_id": "T055300"
                }
              },
              {
                "category": "product_version",
                "name": "1.9.0",
                "product": {
                  "name": "Open Source Langflow 1.9.0",
                  "product_id": "T055300-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:langflow:langflow:1.9.0"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Langflow"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-33760",
      "product_status": {
        "known_affected": [
          "T055300"
        ]
      },
      "release_date": "2026-06-11T22:00:00.000+00:00",
      "title": "CVE-2026-33760"
    },
    {
      "cve": "CVE-2026-42867",
      "product_status": {
        "known_affected": [
          "T055300"
        ]
      },
      "release_date": "2026-06-11T22:00:00.000+00:00",
      "title": "CVE-2026-42867"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-42867 (GCVE-0-2026-42867)

GHSA-79PH-745M-6WXQ

Summary

Details

PoC (Proof of Concept)

Impact

Fixes

Acknowledgements

WID-SEC-W-2026-1898

Tags

Sightings

Nomenclature