CVE-2026-3345: Langflow path traversal

CISO Take

A path traversal vulnerability (CWE-22) in Langflow Desktop versions up to and including 1.8.4 allows any authenticated remote attacker to read arbitrary files on the host system by sending crafted URL requests containing dot-dot sequences. Although exploitation requires valid credentials (low-privilege), the confidentiality impact is rated HIGH — in AI pipeline environments, Langflow instances typically have filesystem access to .env files storing LLM API keys (OpenAI, Anthropic, etc.), RAG document stores, and workflow configurations containing proprietary data, making credential theft and data exfiltration a realistic secondary outcome. EPSS is low (0.059%) but the CVE sits in the 82nd exploitation-likelihood percentile with no public exploit or Nuclei template yet — CISA SSVC rates this TRACK, not emergency. Upgrade to a Langflow release above 1.8.4 immediately; if patching is delayed, restrict Langflow network exposure to internal networks only and rotate any credentials accessible to the process.

Sources: NVD EPSS CISA KEV ATLAS

What is the risk?

Medium risk with elevated AI-specific concern. The PR:L requirement limits exposure to authenticated users only, but AC:L and AV:N mean exploitation is trivially simple once credentials exist. In AI/ML deployments, the blast radius extends beyond the host OS — Langflow processes routinely have read access to LLM provider API keys, vector database connection strings, and RAG corpora, making successful exploitation a gateway to broader AI infrastructure compromise. No active exploitation or public exploit currently, but the attack pattern is well-understood and requires no AI expertise.

How does the attack unfold?

Initial Access

Attacker obtains a low-privilege Langflow user account via credential stuffing, phishing, or a shared internal test credential.

AML.T0012

Exploitation

Authenticated attacker sends a crafted HTTP request with path traversal sequences (../../) targeting a Langflow file-serving endpoint to bypass directory restrictions.

AML.T0049

Data Collection

Attacker iterates traversal paths to read sensitive files — .env configs, API key files, workflow definitions — from the host filesystem.

AML.T0037

Impact

Harvested LLM API keys and secrets enable unauthorized access to AI provider accounts, cost incursion, and further pivot into connected AI infrastructure.

AML.T0055

Initial Access

Attacker obtains a low-privilege Langflow user account via credential stuffing, phishing, or a shared internal test credential.

AML.T0012

Exploitation

Authenticated attacker sends a crafted HTTP request with path traversal sequences (../../) targeting a Langflow file-serving endpoint to bypass directory restrictions.

AML.T0049

Data Collection

Attacker iterates traversal paths to read sensitive files — .env configs, API key files, workflow definitions — from the host filesystem.

AML.T0037

Impact

Harvested LLM API keys and secrets enable unauthorized access to AI provider accounts, cost incursion, and further pivot into connected AI infrastructure.

AML.T0055

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	—	No patch
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 29% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

What should I do?

5 steps

Patch: Upgrade Langflow Desktop to any version above 1.8.4 as soon as available. Monitor the Langflow GitHub releases and the IBM advisory at https://www.ibm.com/support/pages/node/7271094 for the patched version.
Network isolation: If patching is not immediately possible, restrict Langflow to internal-only network access via firewall rules or VPN gateway — remove any public-facing exposure.
Credential rotation: Audit and rotate all API keys and secrets stored in files accessible to the Langflow process (LLM provider keys, database passwords, Langflow .env).
Detection: Search web/proxy logs for requests containing URL-encoded or plaintext '../' or '%2e%2e%2f' sequences targeting Langflow endpoints. Implement a WAF rule blocking path traversal patterns on Langflow's HTTP interface.
Least privilege: Ensure the Langflow process user has minimal filesystem permissions — no access to OS-sensitive paths (/etc, /root, system credential stores) beyond what the application requires.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Data Leakage Framework Agent AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15(1) - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.5 - AI System Security Controls

NIST AI RMF

MS-2.5 - AI Risk Measurement — Vulnerability Tracking

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-3345?

A path traversal vulnerability (CWE-22) in Langflow Desktop versions up to and including 1.8.4 allows any authenticated remote attacker to read arbitrary files on the host system by sending crafted URL requests containing dot-dot sequences. Although exploitation requires valid credentials (low-privilege), the confidentiality impact is rated HIGH — in AI pipeline environments, Langflow instances typically have filesystem access to .env files storing LLM API keys (OpenAI, Anthropic, etc.), RAG document stores, and workflow configurations containing proprietary data, making credential theft and data exfiltration a realistic secondary outcome. EPSS is low (0.059%) but the CVE sits in the 82nd exploitation-likelihood percentile with no public exploit or Nuclei template yet — CISA SSVC rates this TRACK, not emergency. Upgrade to a Langflow release above 1.8.4 immediately; if patching is delayed, restrict Langflow network exposure to internal networks only and rotate any credentials accessible to the process.

Is CVE-2026-3345 actively exploited?

No confirmed active exploitation of CVE-2026-3345 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-3345?

1. Patch: Upgrade Langflow Desktop to any version above 1.8.4 as soon as available. Monitor the Langflow GitHub releases and the IBM advisory at https://www.ibm.com/support/pages/node/7271094 for the patched version. 2. Network isolation: If patching is not immediately possible, restrict Langflow to internal-only network access via firewall rules or VPN gateway — remove any public-facing exposure. 3. Credential rotation: Audit and rotate all API keys and secrets stored in files accessible to the Langflow process (LLM provider keys, database passwords, Langflow .env). 4. Detection: Search web/proxy logs for requests containing URL-encoded or plaintext '../' or '%2e%2e%2f' sequences targeting Langflow endpoints. Implement a WAF rule blocking path traversal patterns on Langflow's HTTP interface. 5. Least privilege: Ensure the Langflow process user has minimal filesystem permissions — no access to OS-sensitive paths (/etc, /root, system credential stores) beyond what the application requires.

What systems are affected by CVE-2026-3345?

This vulnerability affects the following AI/ML architecture patterns: LLM pipeline builders, agent frameworks, RAG pipelines, model serving.

What is the CVSS score for CVE-2026-3345?

CVE-2026-3345 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.37%.

What is the AI security impact?

Affected AI Architectures

LLM pipeline buildersagent frameworksRAG pipelinesmodel serving

MITRE ATLAS Techniques

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Article 15(1)

ISO 42001: A.6.2.5

NIST AI RMF: MS-2.5

OWASP LLM Top 10: LLM02:2025

What are the technical details?

Original Advisory

IBM Langflow Desktop <=1.8.4 Langflow could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.

Exploitation Scenario

An attacker with a low-privilege Langflow account — obtained through credential stuffing, internal compromise, or a shared test account — crafts an HTTP GET request to a Langflow file-serving endpoint with a path traversal payload such as `/api/v1/files/download?path=../../../../../../opt/langflow/.env`. The response returns the environment file in plaintext, revealing OpenAI or Anthropic API keys, database connection strings, and Clerk/Stripe secrets. The attacker then uses the harvested LLM API keys to exfiltrate data via the provider's API, incur cost on the victim's account, or pivot into connected AI services. The entire attack requires no AI expertise — only a valid login and a basic understanding of path traversal.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.