AI Threat Alert
## Summary Langflow is vulnerable to Path Traversal in the Knowledge Bases API (`DELETE /api/v1/knowledge_bases`). This occurs because user-supplied knowledge base names are concatenated directly into file paths without proper sanitization or boundary validation. An authenticated attacker can...
Full CISO analysis pending enrichment.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| langflow | pip | <= 1.8.4 | 1.9.0 |
Do you use langflow? You're affected.
Severity & Risk
Attack Surface
Recommended Action
Patch available
Update langflow to version 1.9.0
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is CVE-2026-42048?
Langflow Knowledge Bases API is Vulnerable to Path Traversal
Is CVE-2026-42048 actively exploited?
No confirmed active exploitation of CVE-2026-42048 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-42048?
Update to patched version: langflow 1.9.0.
What is the CVSS score for CVE-2026-42048?
CVE-2026-42048 has a CVSS v3.1 base score of 9.6 (CRITICAL).
Technical Details
NVD Description
## Summary Langflow is vulnerable to Path Traversal in the Knowledge Bases API (`DELETE /api/v1/knowledge_bases`). This occurs because user-supplied knowledge base names are concatenated directly into file paths without proper sanitization or boundary validation. An authenticated attacker can exploit this flaw to delete arbitrary directories anywhere on the server's filesystem, leading to data loss and potential service disruption. ## Details The vulnerability exists in the `delete_knowledge_bases_bulk` function within `src/backend/base/langflow/api/v1/knowledge_bases.py`. This function constructs file paths directly from the user-supplied `kb_names` parameter. While other knowledge base endpoints safely route through standard path resolution (e.g., `_resolve_kb_path()`), the bulk delete handler bypasses this entirely. It builds the path manually and passes it directly to `shutil.rmtree()` without validating if the resulting path resolves outside the intended user directory. ## PoC (Proof of Concept) For the **Bulk Delete** endpoint, an authenticated attacker can supply a traversal sequence in the `kb_names` parameter: `../victim_user/kb_name` Because the path is passed directly to `shutil.rmtree()` without containment checks, this payload deletes directories outside the intended scope. ## Impact Any Langflow instance exposing this endpoint to authenticated users is vulnerable. This exposes the server to: * **Cross-user data compromise:** Deletion of directories within another tenant's knowledge base space. * **Arbitrary filesystem manipulation:** Directory deletion at any path on the server where the application has write permissions. * **Service disruption & Data Loss:** Deletion of critical application files or unrecoverable data loss if backups are co-located on the same filesystem. ## Fixes The issue was addressed in **PR #12243**, which applies `Path.resolve()` to normalize the supplied path and validates that it starts with the authenticated user's directory before deletion. Subsequent updates (backported from PR #12337) introduced robust containment checks using `Path.is_relative_to()` to prevent prefix-ambiguity bugs. ## Acknowledgements Thanks to the security researchers who responsibly disclosed this vulnerability: * @ddlxstudio * @nekros1xx
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2026-33309 9.9 langflow: Path Traversal enables file access
Same package: langflow CVE-2026-27966 9.8 langflow: Code Injection enables RCE
Same package: langflow CVE-2024-37014 9.8 Langflow: unauthenticated RCE via custom component API
Same package: langflow CVE-2026-33017 9.8 langflow: Code Injection enables RCE
Same package: langflow CVE-2024-42835 9.8 Langflow: Unauthenticated RCE via PythonCodeTool
Same package: langflow