CVE-2026-13445: Langflow: SaveToFile flaw breaks user storage isolation

HIGH
Published July 17, 2026
CISO Take

IBM Langflow OSS versions 1.0.0 through 1.10.1 contain a broken-access-control flaw in the SaveToFile component that lets any authenticated user specify absolute paths pointing into another user's storage, letting them read and modify files they should never touch. This matters because Langflow is a low-code LLM workflow/agent builder often deployed multi-tenant, so a single low-privileged account is enough to steal another tenant's uploaded documents (append mode) or corrupt them outright (overwrite mode) — no user interaction and low attack complexity, per the CVSS 8.1 (AV:N/AC:L/PR:L). There is no EPSS score yet, it is not in CISA KEV, and no public exploit or Nuclei template exists, so this looks unweaponized for now rather than under active attack. Still, any organization running shared or multi-user Langflow instances should treat this as a priority patch: upgrade past 1.10.1 once IBM's fix is available, and in the meantime audit who has access to shared Langflow tenants and monitor storage access logs for absolute or traversal-style paths reaching the SaveToFile component.

Sources: NVD CISA KEV ATLAS ibm.com

What is the risk?

High severity (CVSS 8.1) with a straightforward exploitation path: any authenticated user, regardless of privilege level, can trigger the flaw with no user interaction and low attack complexity. The confidentiality and integrity impacts are both high, though availability is unaffected. Real-world risk is currently tempered by the absence of EPSS scoring, CISA KEV listing, public exploit code, or a Nuclei template — indicating this is not yet under active or opportunistic exploitation. The primary exposure driver is deployment model: single-tenant or fully isolated Langflow instances are largely unaffected, while multi-tenant or shared-team deployments (the common pattern for AI workflow/agent platforms) carry meaningful risk of cross-user data theft or sabotage.

How does the attack unfold?

Authenticated Access
Attacker logs into the shared Langflow instance using a valid, low-privileged account.
Malicious Workflow Construction
Attacker builds a flow using the SaveToFile component and specifies an absolute path pointing into another user's storage location instead of their own.
AML.T0049
Cross-User Read/Exfiltration
Running the flow in append mode reads the victim's file contents and saves a copy containing that data into the attacker's own namespace.
AML.T0025
Integrity Impact
Alternatively, running the flow in overwrite mode replaces the victim's file contents with arbitrary attacker-controlled data, corrupting downstream data or pipeline outputs.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Langflow pip No patch
151.7K Pushed 5d ago 31% patched ~70d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1
8.1 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I High
A None

What should I do?

1 step
  1. 1) Upgrade Langflow to the patched release once available (monitor IBM's advisory and the Langflow GitHub repo for the fix version beyond 1.10.1). 2) Until patched, treat any multi-tenant Langflow deployment as high-risk: consider isolating tenants into separate instances or containers rather than relying on the application's storage boundary. 3) Add compensating controls at the storage layer — enforce per-user path prefixes/chroot at the filesystem or object-storage level so absolute paths outside a user's namespace cannot resolve. 4) Audit and, if feasible, restrict or disable the SaveToFile component for shared deployments until patched. 5) Monitor file storage access logs for absolute paths or path-traversal patterns (e.g., paths outside expected per-user prefixes, ../ sequences) reaching storage write/append operations. 6) Review recent SaveToFile executions for evidence of cross-user file access as part of incident triage.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
NIST AI RMF
MANAGE-2.3 - Risks and benefits from third-party or shared resources are monitored
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-13445?

IBM Langflow OSS versions 1.0.0 through 1.10.1 contain a broken-access-control flaw in the SaveToFile component that lets any authenticated user specify absolute paths pointing into another user's storage, letting them read and modify files they should never touch. This matters because Langflow is a low-code LLM workflow/agent builder often deployed multi-tenant, so a single low-privileged account is enough to steal another tenant's uploaded documents (append mode) or corrupt them outright (overwrite mode) — no user interaction and low attack complexity, per the CVSS 8.1 (AV:N/AC:L/PR:L). There is no EPSS score yet, it is not in CISA KEV, and no public exploit or Nuclei template exists, so this looks unweaponized for now rather than under active attack. Still, any organization running shared or multi-user Langflow instances should treat this as a priority patch: upgrade past 1.10.1 once IBM's fix is available, and in the meantime audit who has access to shared Langflow tenants and monitor storage access logs for absolute or traversal-style paths reaching the SaveToFile component.

Is CVE-2026-13445 actively exploited?

No confirmed active exploitation of CVE-2026-13445 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-13445?

1) Upgrade Langflow to the patched release once available (monitor IBM's advisory and the Langflow GitHub repo for the fix version beyond 1.10.1). 2) Until patched, treat any multi-tenant Langflow deployment as high-risk: consider isolating tenants into separate instances or containers rather than relying on the application's storage boundary. 3) Add compensating controls at the storage layer — enforce per-user path prefixes/chroot at the filesystem or object-storage level so absolute paths outside a user's namespace cannot resolve. 4) Audit and, if feasible, restrict or disable the SaveToFile component for shared deployments until patched. 5) Monitor file storage access logs for absolute paths or path-traversal patterns (e.g., paths outside expected per-user prefixes, `../` sequences) reaching storage write/append operations. 6) Review recent SaveToFile executions for evidence of cross-user file access as part of incident triage.

What systems are affected by CVE-2026-13445?

This vulnerability affects the following AI/ML architecture patterns: RAG pipelines, agent frameworks, LLM workflow orchestration, multi-tenant SaaS deployments.

What is the CVSS score for CVE-2026-13445?

CVE-2026-13445 has a CVSS v3.1 base score of 8.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

RAG pipelinesagent frameworksLLM workflow orchestrationmulti-tenant SaaS deployments

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
NIST AI RMF: MANAGE-2.3
OWASP LLM Top 10: LLM02:2025

What are the technical details?

Original Advisory

IBM Langflow OSS 1.0.0 through 1.10.1 can allow an authenticated attacker to exploit the SaveToFile component to read and modify another user's uploaded files by specifying absolute paths pointing to victim storage locations. In append mode, the attacker's workflow reads victim file contents, appends attacker-controlled data, and uploads a copy containing victim data to the attacker's namespace (confidentiality breach). In overwrite mode, the attacker can replace victim file contents with arbitrary data (integrity breach). This breaks the storage ownership boundary between users.

Exploitation Scenario

An attacker with a valid, low-privileged account on a shared Langflow instance builds a workflow that uses the SaveToFile component, but instead of a relative path within their own storage area, they specify an absolute path pointing at another tenant's known or guessed storage location. Running the flow in append mode causes Langflow to read the victim's file contents, append attacker-controlled data, and save a copy into the attacker's own namespace — effectively exfiltrating the victim's uploaded documents (e.g., proprietary RAG source material) without the victim ever noticing. In a more destructive variant, the attacker sets the component to overwrite mode and replaces the victim's file with arbitrary content, silently corrupting the data a victim's RAG pipeline or downstream automation relies on.

Weaknesses (CWE)

CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

  • [Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
  • [Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Timeline

Published
July 17, 2026
Last Modified
July 17, 2026
First Seen
July 17, 2026

Related Vulnerabilities