A high-severity unpatched flaw in Langflow, an open-source platform for building AI applications, is being actively exploited in the wild, according to a research disclosure. The bug, tracked as CVE-2026-5027, carries a CVSS score of 8.8 and can let an attacker write files to arbitrary locations.
KEY FACTS
- Issue Path traversal in the POST /api/v2/files endpoint
- Risk Arbitrary file writes and possible remote code execution
- Exposure About 7,000 Langflow instances are publicly reachable
- Status No patch was noted in the report
A technical advisory from Tenable said the endpoint did not sanitize the filename parameter in multipart form data, allowing path traversal sequences such as ../ to place files in arbitrary filesystem locations. Tenable said it tried to contact the project maintainers three times in January and February before disclosing the issue on March 27.
Caitlin Condon, vice president of security research at VulnCheck, said the weakness can be used for remote code execution. She added that Langflow’s default unauthenticated auto-login means no credentials are needed to reach the endpoint and a single request can obtain a valid session token before exploitation.
According to the disclosure, current activity appears to focus on writing test files on victim systems. Censys data cited in the report shows about 7,000 Langflow instances exposed on the internet, with most in North America.
The activity follows other exploitation attempts against Langflow flaws this year, including CVE-2026-0770, CVE-2026-33017, CVE-2026-21445 and CVE-2025-34291. The last of those was weaponized by the Iranian state-sponsored group known as MuddyWater.
WHY IT MATTERS
The case shows how flaws in AI application tooling can quickly become a path to system compromise when exposed to the internet. Organizations running Langflow may face added risk if instances are publicly accessible and not updated.