CVE-2026-42867: Langflow — MEDIUM

Q: Is CVE-2026-42867 actively exploited?

No confirmed active exploitation of CVE-2026-42867 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-42867?

Update to patched version: Langflow 1.9.0.

Q: What is the CVSS score for CVE-2026-42867?

CVE-2026-42867 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.06%.

## Summary Langflow is vulnerable to Path Traversal in the Knowledge Bases API (`POST /api/v1/knowledge_bases`). This occurs because user-supplied knowledge base names are used directly to create file paths without proper sanitization or containment checks. An authenticated attacker can exploit...

Full CISO analysis pending enrichment.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	<= 1.8.4	`1.9.0`
149.6K Pushed 2d ago 37% patched ~57d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 18% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

N/A

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I Low

A Low

What should I do?

Patch available

Update Langflow to version 1.9.0

Which compliance frameworks are affected?

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-42867?

## Summary Langflow is vulnerable to Path Traversal in the Knowledge Bases API (`POST /api/v1/knowledge_bases`). This occurs because user-supplied knowledge base names are used directly to create file paths without proper sanitization or containment checks. An authenticated attacker can exploit this flaw to create directories and write files anywhere on the server's filesystem. ## Details The vulnerability exists in the `create_knowledge_base` function within `src/backend/base/langflow/api/v1/knowledge_bases.py`. This function constructs file paths directly from the user-supplied `name` field without sanitization. The value is concatenated with the user's base directory and passed directly to `kb_path.mkdir()`. Immediately following the directory creation, the application writes `embedding_metadata.json` and `schema.json` into this attacker-controlled path. ## PoC (Proof of Concept) For the **Create** endpoint, an attacker can supply traversal sequences or absolute paths in the `name` field: `../victim_user/evil_kb` or `/tmp/pwned` This forces `kb_path.mkdir()` to create directories and write specific application files (`embedding_metadata.json` and `schema.json`) at any reachable path on the server. ## Impact Any Langflow instance exposing this endpoint to authenticated users is vulnerable. This exposes the server to: * **Cross-user data compromise:** Creation of directories and files within another tenant's knowledge base space. * **Arbitrary filesystem manipulation:** Directory creation at any path on the server where the application has write permissions (e.g., `/app/data`). * **Data overwrite:** Overwriting existing `embedding_metadata.json` and `schema.json` files in attacker-targeted paths, potentially corrupting existing knowledge bases. ## Fixes The issue was addressed in **PR #12337**. The fix introduces the `_validate_kb_path_containment()` helper function, which uses `Path.is_relative_to()` instead of `startswith()` to enforce strict path boundaries and prevent prefix-ambiguity bugs. This helper is applied before any filesystem operations. Regression tests were added to verify that traversal payloads return a `403 Forbidden`. ## Acknowledgements Thanks to the security researchers who responsibly disclosed this vulnerability: * @ddlxstudio * @nekros1xx

Is CVE-2026-42867 actively exploited?

No confirmed active exploitation of CVE-2026-42867 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-42867?

Update to patched version: Langflow 1.9.0.

What is the CVSS score for CVE-2026-42867?

CVE-2026-42867 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.06%.

What are the technical details?

Original Advisory

## Summary Langflow is vulnerable to Path Traversal in the Knowledge Bases API (`POST /api/v1/knowledge_bases`). This occurs because user-supplied knowledge base names are used directly to create file paths without proper sanitization or containment checks. An authenticated attacker can exploit this flaw to create directories and write files anywhere on the server's filesystem. ## Details The vulnerability exists in the `create_knowledge_base` function within `src/backend/base/langflow/api/v1/knowledge_bases.py`. This function constructs file paths directly from the user-supplied `name` field without sanitization. The value is concatenated with the user's base directory and passed directly to `kb_path.mkdir()`. Immediately following the directory creation, the application writes `embedding_metadata.json` and `schema.json` into this attacker-controlled path. ## PoC (Proof of Concept) For the **Create** endpoint, an attacker can supply traversal sequences or absolute paths in the `name` field: `../victim_user/evil_kb` or `/tmp/pwned` This forces `kb_path.mkdir()` to create directories and write specific application files (`embedding_metadata.json` and `schema.json`) at any reachable path on the server. ## Impact Any Langflow instance exposing this endpoint to authenticated users is vulnerable. This exposes the server to: * **Cross-user data compromise:** Creation of directories and files within another tenant's knowledge base space. * **Arbitrary filesystem manipulation:** Directory creation at any path on the server where the application has write permissions (e.g., `/app/data`). * **Data overwrite:** Overwriting existing `embedding_metadata.json` and `schema.json` files in attacker-targeted paths, potentially corrupting existing knowledge bases. ## Fixes The issue was addressed in **PR #12337**. The fix introduces the `_validate_kb_path_containment()` helper function, which uses `Path.is_relative_to()` instead of `startswith()` to enforce strict path boundaries and prevent prefix-ambiguity bugs. This helper is applied before any filesystem operations. Regression tests were added to verify that traversal payloads return a `403 Forbidden`. ## Acknowledgements Thanks to the security researchers who responsibly disclosed this vulnerability: * @ddlxstudio * @nekros1xx

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.