GHSA-79PH-745M-6WXQ

Vulnerability from github – Published: 2026-06-16 17:35 – Updated: 2026-06-16 17:35
VLAI
Summary
Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint
Details

Summary

Langflow is vulnerable to Path Traversal in the Knowledge Bases API (POST /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are used directly to create file paths without proper sanitization or containment checks. An authenticated attacker can exploit this flaw to create directories and write files anywhere on the server's filesystem.

Details

The vulnerability exists in the create_knowledge_base function within src/backend/base/langflow/api/v1/knowledge_bases.py.

This function constructs file paths directly from the user-supplied name field without sanitization. The value is concatenated with the user's base directory and passed directly to kb_path.mkdir(). Immediately following the directory creation, the application writes embedding_metadata.json and schema.json into this attacker-controlled path.

PoC (Proof of Concept)

For the Create endpoint, an attacker can supply traversal sequences or absolute paths in the name field:

../victim_user/evil_kb or /tmp/pwned

This forces kb_path.mkdir() to create directories and write specific application files (embedding_metadata.json and schema.json) at any reachable path on the server.

Impact

Any Langflow instance exposing this endpoint to authenticated users is vulnerable. This exposes the server to: * Cross-user data compromise: Creation of directories and files within another tenant's knowledge base space. * Arbitrary filesystem manipulation: Directory creation at any path on the server where the application has write permissions (e.g., /app/data). * Data overwrite: Overwriting existing embedding_metadata.json and schema.json files in attacker-targeted paths, potentially corrupting existing knowledge bases.

Fixes

The issue was addressed in PR #12337. The fix introduces the _validate_kb_path_containment() helper function, which uses Path.is_relative_to() instead of startswith() to enforce strict path boundaries and prevent prefix-ambiguity bugs. This helper is applied before any filesystem operations. Regression tests were added to verify that traversal payloads return a 403 Forbidden.

Acknowledgements

Thanks to the security researchers who responsibly disclosed this vulnerability: * @ddlxstudio * @nekros1xx

Severity
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.8.4"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "langflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42867"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-16T17:35:09Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\nLangflow is vulnerable to Path Traversal in the Knowledge Bases API (`POST /api/v1/knowledge_bases`). This occurs because user-supplied knowledge base names are used directly to create file paths without proper sanitization or containment checks. An authenticated attacker can exploit this flaw to create directories and write files anywhere on the server\u0027s filesystem.\n\n## Details\nThe vulnerability exists in the `create_knowledge_base` function within `src/backend/base/langflow/api/v1/knowledge_bases.py`. \n\nThis function constructs file paths directly from the user-supplied `name` field without sanitization. The value is concatenated with the user\u0027s base directory and passed directly to `kb_path.mkdir()`. Immediately following the directory creation, the application writes `embedding_metadata.json` and `schema.json` into this attacker-controlled path.\n\n## PoC (Proof of Concept)\nFor the **Create** endpoint, an attacker can supply traversal sequences or absolute paths in the `name` field:\n\n`../victim_user/evil_kb`\nor\n`/tmp/pwned`\n\nThis forces `kb_path.mkdir()` to create directories and write specific application files (`embedding_metadata.json` and `schema.json`) at any reachable path on the server.\n\n## Impact\nAny Langflow instance exposing this endpoint to authenticated users is vulnerable. This exposes the server to:\n* **Cross-user data compromise:** Creation of directories and files within another tenant\u0027s knowledge base space.\n* **Arbitrary filesystem manipulation:** Directory creation at any path on the server where the application has write permissions (e.g., `/app/data`).\n* **Data overwrite:** Overwriting existing `embedding_metadata.json` and `schema.json` files in attacker-targeted paths, potentially corrupting existing knowledge bases.\n\n## Fixes\nThe issue was addressed in **PR #12337**. The fix introduces the `_validate_kb_path_containment()` helper function, which uses `Path.is_relative_to()` instead of `startswith()` to enforce strict path boundaries and prevent prefix-ambiguity bugs. This helper is applied before any filesystem operations. Regression tests were added to verify that traversal payloads return a `403 Forbidden`.\n\n## Acknowledgements\nThanks to the security researchers who responsibly disclosed this vulnerability:\n* @ddlxstudio\n* @nekros1xx",
  "id": "GHSA-79ph-745m-6wxq",
  "modified": "2026-06-16T17:35:09Z",
  "published": "2026-06-16T17:35:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-79ph-745m-6wxq"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/pull/12337"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langflow-ai/langflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.