Hackers Actively Exploit Path Traversal Flaw in AI Platform Langflow

Attackers are weaponizing CVE-2026-5027, a high-severity path traversal vulnerability in the open-source AI development platform Langflow, to write arbitrary files onto exposed servers. Langflow, a visual drag-and-drop environment for building AI applications, agents, and Retrieval-Augmented Generation (RAG) workflows, has amassed more than 149,000 GitHub stars and is widely adopted by AI engineering teams. Researchers at Tenable discovered the flaw earlier this year and publicly disclosed it on March 27, 2026, after the Langflow maintainers failed to respond to the original responsible disclosure report.

The vulnerability resides in Langflow's file upload mechanism, specifically the "POST /api/v2/files" endpoint, which fails to sanitize the "filename" parameter in multipart form data. By injecting path traversal sequences such as "../", an unauthenticated attacker can write files to arbitrary locations on the underlying filesystem. Because Langflow enables unauthenticated auto-login by default, a single unauthenticated request is enough to obtain a valid session token before exploitation proceeds. Snyk Security confirmed the issue was patched in the langflow-base package version 0.8.3 and in Langflow application version 1.9.0, with the latest release, version 1.10.0, published today.

VulnCheck researcher Caitlin Condon reported that honeypot infrastructure has already detected attackers dropping test files on vulnerable instances in the wild, confirming active exploitation. Censys scans identified roughly 7,000 publicly exposed Langflow endpoints, though historical data may inflate the current count. Defenders can use a port scanner to identify Langflow instances exposed on their perimeter, and a WHOIS lookup to assess ownership of suspicious associated infrastructure. This wave of activity follows earlier exploitation of related Langflow flaws CVE-2026-0770, CVE-2026-21445, and CVE-2026-33017, as well as last year's CISA-warned CVE-2025-3248, which VulnCheck has linked to Iranian threat group MuddyWater.

Organizations running Langflow should immediately upgrade to version 1.10.0 and audit their environments for any indicators of compromise, especially unauthorized file writes outside expected directories. Teams should also run a privacy checkup across exposed assets to verify that authentication controls and session management are properly hardened. Given the unauthenticated nature of the exploit and the volume of internet-exposed Langflow instances, the window for remediation is narrow before broader mass exploitation takes hold.