Vulnerability-Lookup

CVE-2026-55450 (GCVE-0-2026-55450)

Vulnerability from cvelistv5 – Published: 2026-06-23 16:17 – Updated: 2026-06-23 17:02

Title

Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak

Summary

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaustion on the server. In addition, in the response, the absolute path of the uploaded file is reported to the attacker, which is an information leak that can assist in chaining other primitives. This vulnerability is fixed in 1.9.1.

Severity

9.3 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H

SSVC

Exploitation: poc Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
CWE-306 - Missing Authentication for Critical Function
CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/langflow-ai/langflow/security/…	x_refsource_CONFIRM
https://github.com/langflow-ai/langflow/pull/12831	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
langflow-ai	langflow	Affected: < 1.9.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-55450",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-23T17:00:33.147977Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-23T17:02:55.053Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-x223-p2gf-v735"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "langflow",
          "vendor": "langflow-ai",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.9.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaustion on the server. In addition, in the response, the absolute path of the uploaded file is reported to the attacker, which is an information leak that can assist in chaining other primitives. This vulnerability is fixed in 1.9.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-23T16:17:52.168Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-x223-p2gf-v735",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-x223-p2gf-v735"
        },
        {
          "name": "https://github.com/langflow-ai/langflow/pull/12831",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/langflow-ai/langflow/pull/12831"
        }
      ],
      "source": {
        "advisory": "GHSA-x223-p2gf-v735",
        "discovery": "UNKNOWN"
      },
      "title": "Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-55450",
    "datePublished": "2026-06-23T16:17:52.168Z",
    "dateReserved": "2026-06-16T21:59:57.018Z",
    "dateUpdated": "2026-06-23T17:02:55.053Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-55450",
      "date": "2026-06-27",
      "epss": "0.0031",
      "percentile": "0.2274"
    },
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-55450\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-23T17:00:33.147977Z\"}}}], \"references\": [{\"url\": \"https://github.com/langflow-ai/langflow/security/advisories/GHSA-x223-p2gf-v735\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-23T17:01:03.861Z\"}}], \"cna\": {\"title\": \"Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak\", \"source\": {\"advisory\": \"GHSA-x223-p2gf-v735\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"langflow-ai\", \"product\": \"langflow\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.9.1\"}]}], \"references\": [{\"url\": \"https://github.com/langflow-ai/langflow/security/advisories/GHSA-x223-p2gf-v735\", \"name\": \"https://github.com/langflow-ai/langflow/security/advisories/GHSA-x223-p2gf-v735\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/langflow-ai/langflow/pull/12831\", \"name\": \"https://github.com/langflow-ai/langflow/pull/12831\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaustion on the server. In addition, in the response, the absolute path of the uploaded file is reported to the attacker, which is an information leak that can assist in chaining other primitives. This vulnerability is fixed in 1.9.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-200\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306: Missing Authentication for Critical Function\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-06-23T16:17:52.168Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-55450\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-23T17:02:55.053Z\", \"dateReserved\": \"2026-06-16T21:59:57.018Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-06-23T16:17:52.168Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-X223-P2GF-V735

Vulnerability from github – Published: 2026-06-17 18:43 – Updated: 2026-06-17 18:43

Summary

Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak

Details

Summary

Unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow.

This can lead to space exhaustion on the server.

In adition, in the response, the absolute path of the uploaded file is reported to the attacker, which is an information leak that can assist in chaining other primitives.

Tested on commit 2d67402b1dbaefcbce85a244d4a6cd5e4bda1cfe

Details

Code is in langflow/api/v1/[endpoints.py](http://endpoints.py/):

@router.post(
    "/upload/{flow_id}",
    status_code=HTTPStatus.CREATED,
    deprecated=True,
)
async def create_upload_file(
    file: UploadFile,
    flow_id: UUID,
) -> UploadFileResponse:
...

As can be seen above, there is no authentication. There is not validation over flow_id as well, unlike other endpoints:

        flow_id_str = str(flow_id)
        file_path = await asyncio.to_thread(save_uploaded_file, file, folder_name=flow_id_str)

Function save_uploaded_file saves the file to local file-system. Suggested fix: 1. Add authentication to route. 2. Only return relative path or filename.

PoC

PoC:

curl 'http://localhost:7860/api/v1/upload/<any_uuid>' -F "file=@<any_file>"

Example:

# curl 'http://localhost:7860/api/v1/upload/11111111-1111-1111-1111-111111111111' -F "file=@/tmp/dummy.txt"
{"flowId":"11111111-1111-1111-1111-111111111111","file_path":"/Users/ori/Library/Caches/langflow/11111111-1111-1111-1111-111111111111/9d63c3b5b7623d1fa3dc7fd1547313b9546c6d0fbbb6773a420613b7a17995c8.txt"}

Impact

Space exhaustion on server that can lead to Denial-of-Service.
Information leak - leakage of absolute path of langflow's cache directory in server.

Patches

Fixed in 1.9.1 via PR #12831. The deprecated POST /api/v1/upload/{flow_id} endpoint now uses the get_flow dependency, requiring an authenticated user and flow ownership (returns 404 for missing or cross-user flows), and enforces the max_file_size_upload limit (HTTP 413) — closing the unauthenticated upload and disk-exhaustion vectors. Upgrade to 1.9.1 or later.

Note: the response still returns the file's absolute path (file_path); after this fix it is only disclosed to the authenticated owner of the flow.

Ori Lahav Security Researcher @ Rubrik Inc.

Severity

9.3 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "langflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55450"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-306",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-17T18:43:12Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\nUnauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow.\n\nThis can lead to space exhaustion on the server.\n\nIn adition, in the response, the absolute path of the uploaded file is reported to the attacker, which is an information leak that can assist in chaining other primitives.\n\nTested on commit 2d67402b1dbaefcbce85a244d4a6cd5e4bda1cfe\n\n### Details\nCode is in `langflow/api/v1/[endpoints.py](http://endpoints.py/)`:\n```python\n@router.post(\n    \"/upload/{flow_id}\",\n    status_code=HTTPStatus.CREATED,\n    deprecated=True,\n)\nasync def create_upload_file(\n    file: UploadFile,\n    flow_id: UUID,\n) -\u003e UploadFileResponse:\n...\n```\nAs can be seen above, there is no authentication. There is not validation over `flow_id` as well, unlike other endpoints:\n```\n        flow_id_str = str(flow_id)\n        file_path = await asyncio.to_thread(save_uploaded_file, file, folder_name=flow_id_str)\n```\nFunction `save_uploaded_file` saves the file to local file-system.\nSuggested fix:\n1. Add authentication to route.\n2. Only return relative path or filename.\n\n### PoC\nPoC:\n```bash\ncurl \u0027http://localhost:7860/api/v1/upload/\u003cany_uuid\u003e\u0027 -F \"file=@\u003cany_file\u003e\"\n```\n\nExample:\n```bash\n# curl \u0027http://localhost:7860/api/v1/upload/11111111-1111-1111-1111-111111111111\u0027 -F \"file=@/tmp/dummy.txt\"\n{\"flowId\":\"11111111-1111-1111-1111-111111111111\",\"file_path\":\"/Users/ori/Library/Caches/langflow/11111111-1111-1111-1111-111111111111/9d63c3b5b7623d1fa3dc7fd1547313b9546c6d0fbbb6773a420613b7a17995c8.txt\"}\n```\n\n### Impact\n1. Space exhaustion on server that can lead to Denial-of-Service.\n2. Information leak - leakage of absolute path of langflow\u0027s cache directory in server.\n\n\n\n\n\n### Patches\nFixed in **1.9.1** via PR [#12831](https://github.com/langflow-ai/langflow/pull/12831). The deprecated `POST /api/v1/upload/{flow_id}` endpoint now uses the `get_flow` dependency, requiring an authenticated user and flow ownership (returns `404` for missing or cross-user flows), and enforces the `max_file_size_upload` limit (`HTTP 413`) \u2014 closing the unauthenticated upload and disk-exhaustion vectors. Upgrade to **1.9.1 or later**.\n\nNote: the response still returns the file\u0027s absolute path (`file_path`); after this fix it is only disclosed to the authenticated owner of the flow.\n\n\nOri Lahav\nSecurity Researcher @ Rubrik Inc.",
  "id": "GHSA-x223-p2gf-v735",
  "modified": "2026-06-17T18:43:12Z",
  "published": "2026-06-17T18:43:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-x223-p2gf-v735"
    },
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/pull/12831"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langflow-ai/langflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak"
}

PYSEC-2026-224

Vulnerability from pysec - Published: 2026-06-23 17:17 - Updated: 2026-06-25 23:10

Details

Severity

9.3 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H

Impacted products

Name	purl
langflow	pkg:pypi/langflow

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "ecosystem_specific": {},
      "package": {
        "ecosystem": "PyPI",
        "name": "langflow",
        "purl": "pkg:pypi/langflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.0.31",
        "0.0.32",
        "0.0.33",
        "0.0.40",
        "0.0.44",
        "0.0.45",
        "0.0.46",
        "0.0.52",
        "0.0.53",
        "0.0.54",
        "0.0.55",
        "0.0.56",
        "0.0.57",
        "0.0.58",
        "0.0.61",
        "0.0.62",
        "0.0.63",
        "0.0.64",
        "0.0.65",
        "0.0.66",
        "0.0.67",
        "0.0.68",
        "0.0.69",
        "0.0.70",
        "0.0.71",
        "0.0.72",
        "0.0.73",
        "0.0.74",
        "0.0.75",
        "0.0.76",
        "0.0.78",
        "0.0.79",
        "0.0.80",
        "0.0.81",
        "0.0.83",
        "0.0.84",
        "0.0.85",
        "0.0.86",
        "0.0.87",
        "0.0.88",
        "0.0.89",
        "0.1.0",
        "0.1.2",
        "0.1.3",
        "0.1.4",
        "0.1.5",
        "0.1.6",
        "0.1.7",
        "0.2.0",
        "0.2.1",
        "0.2.10",
        "0.2.11",
        "0.2.12",
        "0.2.13",
        "0.2.2",
        "0.2.3",
        "0.2.4",
        "0.2.5",
        "0.2.6",
        "0.2.7",
        "0.2.8",
        "0.2.9",
        "0.3.0",
        "0.3.1",
        "0.3.2",
        "0.3.3",
        "0.3.4",
        "0.4.0",
        "0.4.1",
        "0.4.10",
        "0.4.11",
        "0.4.12",
        "0.4.14",
        "0.4.15",
        "0.4.16",
        "0.4.17",
        "0.4.18",
        "0.4.19",
        "0.4.2",
        "0.4.20",
        "0.4.21",
        "0.4.3",
        "0.4.4",
        "0.4.5",
        "0.4.6",
        "0.4.7",
        "0.4.8",
        "0.4.9",
        "0.5.0",
        "0.5.0a0",
        "0.5.0a1",
        "0.5.0a2",
        "0.5.0a3",
        "0.5.0a4",
        "0.5.0a5",
        "0.5.0a6",
        "0.5.0b0",
        "0.5.0b2",
        "0.5.0b3",
        "0.5.0b4",
        "0.5.0b5",
        "0.5.0b6",
        "0.5.1",
        "0.5.10",
        "0.5.11",
        "0.5.12",
        "0.5.2",
        "0.5.3",
        "0.5.4",
        "0.5.5",
        "0.5.6",
        "0.5.7",
        "0.5.8",
        "0.5.9",
        "0.6.0",
        "0.6.0rc1",
        "0.6.1",
        "0.6.10",
        "0.6.11",
        "0.6.12",
        "0.6.14",
        "0.6.15",
        "0.6.16",
        "0.6.17",
        "0.6.18",
        "0.6.19",
        "0.6.2",
        "0.6.3",
        "0.6.3a0",
        "0.6.3a1",
        "0.6.3a2",
        "0.6.3a3",
        "0.6.3a4",
        "0.6.3a5",
        "0.6.3a6",
        "0.6.3a7",
        "0.6.4",
        "0.6.4a0",
        "0.6.4a1",
        "0.6.5",
        "0.6.5a0",
        "0.6.5a1",
        "0.6.5a10",
        "0.6.5a11",
        "0.6.5a12",
        "0.6.5a13",
        "0.6.5a2",
        "0.6.5a3",
        "0.6.5a4",
        "0.6.5a5",
        "0.6.5a6",
        "0.6.5a7",
        "0.6.5a8",
        "0.6.5a9",
        "0.6.6",
        "0.6.7",
        "0.6.7a1",
        "0.6.7a2",
        "0.6.7a3",
        "0.6.7a5",
        "0.6.8",
        "0.6.9",
        "1.0.0",
        "1.0.0a0",
        "1.0.0a1",
        "1.0.0a10",
        "1.0.0a11",
        "1.0.0a12",
        "1.0.0a13",
        "1.0.0a14",
        "1.0.0a15",
        "1.0.0a17",
        "1.0.0a18",
        "1.0.0a19",
        "1.0.0a2",
        "1.0.0a20",
        "1.0.0a21",
        "1.0.0a22",
        "1.0.0a23",
        "1.0.0a24",
        "1.0.0a25",
        "1.0.0a26",
        "1.0.0a27",
        "1.0.0a28",
        "1.0.0a29",
        "1.0.0a3",
        "1.0.0a30",
        "1.0.0a31",
        "1.0.0a32",
        "1.0.0a33",
        "1.0.0a34",
        "1.0.0a35",
        "1.0.0a36",
        "1.0.0a37",
        "1.0.0a38",
        "1.0.0a39",
        "1.0.0a4",
        "1.0.0a40",
        "1.0.0a41",
        "1.0.0a42",
        "1.0.0a43",
        "1.0.0a44",
        "1.0.0a45",
        "1.0.0a46",
        "1.0.0a47",
        "1.0.0a48",
        "1.0.0a49",
        "1.0.0a5",
        "1.0.0a50",
        "1.0.0a51",
        "1.0.0a52",
        "1.0.0a53",
        "1.0.0a55",
        "1.0.0a56",
        "1.0.0a57",
        "1.0.0a58",
        "1.0.0a59",
        "1.0.0a6",
        "1.0.0a60",
        "1.0.0a61",
        "1.0.0a7",
        "1.0.0a8",
        "1.0.0a9",
        "1.0.0rc0",
        "1.0.0rc1",
        "1.0.1",
        "1.0.10",
        "1.0.11",
        "1.0.12",
        "1.0.13",
        "1.0.14",
        "1.0.15",
        "1.0.16",
        "1.0.17",
        "1.0.18",
        "1.0.19",
        "1.0.19.post1",
        "1.0.19.post2",
        "1.0.2",
        "1.0.3",
        "1.0.4",
        "1.0.5",
        "1.0.6",
        "1.0.7",
        "1.0.8",
        "1.0.9",
        "1.1.0",
        "1.1.1",
        "1.1.2",
        "1.1.3",
        "1.1.4",
        "1.1.4.post1",
        "1.2.0",
        "1.3.0",
        "1.3.1",
        "1.3.2",
        "1.3.3",
        "1.3.4",
        "1.4.0",
        "1.4.1",
        "1.4.2",
        "1.4.3",
        "1.5.0",
        "1.5.0.post1",
        "1.5.0.post2",
        "1.5.1",
        "1.6.0",
        "1.6.1",
        "1.6.2",
        "1.6.3",
        "1.6.4",
        "1.6.5",
        "1.6.6",
        "1.6.7",
        "1.6.8",
        "1.6.9",
        "1.7.0",
        "1.7.1",
        "1.7.2",
        "1.7.3",
        "1.8.0",
        "1.8.0rc0",
        "1.8.0rc1",
        "1.8.0rc2",
        "1.8.0rc3",
        "1.8.0rc4",
        "1.8.0rc5",
        "1.8.0rc6",
        "1.8.1",
        "1.8.2",
        "1.8.3",
        "1.8.3rc0",
        "1.8.4",
        "1.9.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55450",
    "GHSA-x223-p2gf-v735"
  ],
  "details": "Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaustion on the server. In addition, in the response, the absolute path of the uploaded file is reported to the attacker, which is an information leak that can assist in chaining other primitives. This vulnerability is fixed in 1.9.1.",
  "id": "PYSEC-2026-224",
  "modified": "2026-06-25T23:10:36.756076Z",
  "published": "2026-06-23T17:17:08.663Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/langflow-ai/langflow/pull/12831"
    },
    {
      "type": "FIX",
      "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-x223-p2gf-v735"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

WID-SEC-W-2026-1970

Vulnerability from csaf_certbund - Published: 2026-06-16 22:00 - Updated: 2026-06-16 22:00

Summary

Langflow: Schwachstelle ermöglicht Denial of Service und Offenlegung von Informationen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: Langflow bietet eine visuelle Schnittstelle zum Erstellen von LLM-basierten Anwendungen.

Angriff: Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Langflow ausnutzen, um einen Denial of Service Angriff durchzuführen, und um informationen offenzulegen.

Betroffene Betriebssysteme: - Linux - Sonstiges - UNIX - Windows

CVE-2026-55450

Affected products

Known affected 1 product

Product	Identifier	Version	Remediation
Open Source Langflow <1.9.1 Open Source / Langflow		<1.9.1

References

3 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://github.com/langflow-ai/langflow/security/…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Langflow bietet eine visuelle Schnittstelle zum Erstellen von LLM-basierten Anwendungen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Langflow ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren, und um informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-1970 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-1970.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-1970 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1970"
      },
      {
        "category": "external",
        "summary": "GitHub Security Advisory GHSA-x223-p2gf-v735 vom 2026-06-16",
        "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-x223-p2gf-v735"
      }
    ],
    "source_lang": "en-US",
    "title": "Langflow: Schwachstelle erm\u00f6glicht Denial of Service und Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2026-06-16T22:00:00.000+00:00",
      "generator": {
        "date": "2026-06-17T10:19:57.236+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.6.0"
        }
      },
      "id": "WID-SEC-W-2026-1970",
      "initial_release_date": "2026-06-16T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-06-16T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.9.1",
                "product": {
                  "name": "Open Source Langflow \u003c1.9.1",
                  "product_id": "T055554"
                }
              },
              {
                "category": "product_version",
                "name": "1.9.1",
                "product": {
                  "name": "Open Source Langflow 1.9.1",
                  "product_id": "T055554-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:langflow:langflow:1.9.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Langflow"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-55450",
      "product_status": {
        "known_affected": [
          "T055554"
        ]
      },
      "release_date": "2026-06-16T22:00:00.000+00:00",
      "title": "CVE-2026-55450"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-55450 (GCVE-0-2026-55450)

GHSA-X223-P2GF-V735

Summary

Details

PoC

Impact

Patches

PYSEC-2026-224

WID-SEC-W-2026-1970

Tags

Sightings

Nomenclature