CVE-2026-33309

Langflow is a tool for building and deploying AI-powered agents and workflows. Versions 1.2.0 through 1.8.1 have a bypass of the patch for CVE-2025-68478 (External Control of File Name), leading to the root architectural issue within `LocalStorageService` remaining unresolved. Because the underlying storage layer lacks boundary containment checks, the system relies entirely on the HTTP-layer `ValidatedFileName` dependency. This defense-in-depth failure leaves the `POST /api/v2/files/` endpoint vulnerable to Arbitrary File Write. The multipart upload filename bypasses the path-parameter guard, allowing authenticated attackers to write files anywhere on the host system, leading to Remote Code Execution (RCE). Version 1.9.0 contains an updated fix.

An attacker with a low-privilege Langflow account (e.g., a compromised trial user or an insider threat) crafts a multipart HTTP POST to /api/v2/files/ with a filename such as '../../usr/lib/python3/dist-packages/langflow/malicious.py' or a path targeting a cron directory. The HTTP-layer ValidatedFileName check is bypassed because the underlying LocalStorageService performs no boundary containment — the filename passes through the storage layer unchanged. The server writes attacker-controlled Python code to the target path. On next Langflow process restart or scheduled execution, the injected module is imported and the attacker's payload executes with Langflow's process privileges. From there, the attacker establishes a reverse shell, exfiltrates API keys and LLM credentials stored in Langflow's configuration, poisons agent tool definitions to affect downstream AI pipeline consumers, and potentially pivots to connected databases or cloud infrastructure.