2026-06-11
HighMedia reportCVE-2026-5027 (CVSS 8.8): Langflow file upload endpoint allowed unauthenticated path traversal and arbitrary file write, enabling RCE across 7,000+ publicly exposed AI agent pipeline instances.
What happened
Attacker sends a single unauthenticated POST request to /api/v2/files with a filename parameter containing ../ path traversal sequences. Auto-login returns a valid session token with no credentials. Attacker writes arbitrary files to the server filesystem, achieving remote code execution.
Why it matters
Full server-level RCE on Langflow instances. Because Langflow deployments typically hold LLM API keys, agent workflow definitions, and credentials for downstream services (databases, APIs), a compromised instance gives an attacker control over the entire agentic pipeline and all credentials it holds. Active exploitation observed writing test files to victim systems. Approximately 7,000 instances publicly exposed.
Missing authorization check
The file upload endpoint required no authentication. Auto-login defaults should require explicit scope-limited tokens for any file-modifying operation. File write operations should validate that the resolved path remains within an allowed directory before writing.
Would PP block it?
CVE-2026-5027 is a pre-agent attack: the attacker exploits the Langflow server layer before any agent session begins. PP's Runtime Gate enforces authorization on agent tool calls and actions but cannot gate unauthenticated HTTP requests to vulnerable API endpoints. Once the attacker achieves RCE on the Langflow server, they can read PP-bound credentials and impersonate any agent action. Full coverage requires hardening the Langflow runtime itself (auth, path validation) as a prerequisite to PP enforcement.
Incident analysis
2026-01-01
Tenable discovers CVE-2026-5027 path traversal in Langflow POST /api/v2/files endpoint. First contact attempt to project maintainers.
2026-02-01
Tenable makes second and third contact attempts to Langflow maintainers with no response.
2026-03-27
Tenable publishes vulnerability disclosure (TRA-2026-26) after responsible disclosure window expires with no patch. VulnCheck confirms the flaw enables unauthenticated RCE via auto-login default.
2026-04-15
Langflow 1.9.0 released. Maintainers confirm CVE-2026-5027 is addressed. Users advised to update immediately.
2026-06-11
The Hacker News reports active exploitation in the wild. Censys shows approximately 7,000 publicly exposed instances. Active exploitation follows serial Langflow CVE targeting: CVE-2026-0770, CVE-2026-33017, CVE-2026-21445, and CVE-2025-34291 (used by Iranian MuddyWater group) all preceded this wave.
Authorization boundary
This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Runtime Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.
PP's Runtime Gate adds an external authorization check on agent actions executed through Langflow. It would not prevent exploitation of the file upload endpoint itself — that attack bypasses the agent entirely and targets the Langflow server infrastructure.
Related incidents and controls
Microsoft Defender: Mage AI and MCP servers deployed without auth in the wild, enabling RCE with cluster-admin access
CISA KEV: CVE-2026-42271 in LiteLLM — authenticated command injection via MCP test endpoints, chains to unauthenticated RCE (CVSS 10.0)
BadHost CVE-2026-48710: Single character in HTTP Host header bypasses auth on millions of AI agent MCP servers
Start small
This incident maps to Runtime Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.