Attackers are actively exploiting CVE-2026-5027, a critical vulnerability in the AI development platform Langflow, to write arbitrary files to exposed servers.
Langflow is an open-source visual platform for building AI applications, AI agents, Retrieval-Augmented Generation (RAG) systems, and MCP-based workflows using a drag-and-drop interface instead of traditional coding.
The project is heavily used by AI development teams, and has accumulated over 149,000 stars and 9,200 forks on GitHub.
CVE-2026-5027 is a critical method flaw in Langflow’s file upload functionality that fails to properly sanitize user-supplied filenames.
“The ‘POST /api/v2/files’ endpoint does not parse the ‘filename’ parameter from the multipart form data, allowing an attacker to write files to arbitrary locations in the file system using the path sequence (‘../’),” explained Tenable, who discovered the bug earlier this year.
Tenable disclosed the issue publicly on March 27, 2026, more than two months after first reporting it to the Langflow team without receiving a response.
Although Tenable did not mention a fix in its advisory, Snyk Security reported on March 30, 2026, that the problem was fixed in the langflow-base package version 0.8.3, while the Langflow application itself received a patch in version 1.9.0.
According to VulnCheck security researcher Caitlin Condon, their honeypots have now found attackers using vulnerabilities to dump test files in vulnerable situations.
“Because Langflow enables automatic unauthorized login by default, no credentials are required to access the vulnerable site, and one unauthorized request is enough to obtain a valid session token before further exploitation,” reads the researcher’s post on LinkedIn.
Condon added that the Censys scan identified about 7,000 publicly displayed instances of Langflow. However, Censys data includes historical scan results for the past 12 months and may not accurately reflect the number of currently exposed systems.
The CVE-2026-5027 exploit comes on the heels of similar work targeting other Langflow vulnerabilities earlier this year, including CVE-2026-0770, CVE-2026-21445, and CVE-2026-33017.
Last year, the US Cybersecurity & Infrastructure Security Agency (CISA) also warned of an active exploit for CVE-2025-3248, with Condon saying VulnCheck continues to look for work, including work linked to the Iranian threat group MuddyWater.
Langflow users are recommended to upgrade to the latest release, version 1.10.0, published earlier today.
Security teams penetrate 54% of successful attacks and monitor 14%. Some walk around the area without being seen.
The Picus white paper shows how breaches and attack simulations evaluate your SIEM and EDR rules so that threats stop slipping through detection.
Get a white paper
