CVE-2026-55450: Langflow — CRITICAL

### Summary Unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaustion on the server. In adition, in the response, the absolute path of the uploaded file is reported...

Full CISO analysis pending enrichment.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	< 1.9.1	`1.9.1`
149.6K Pushed 3d ago 38% patched ~55d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1

9.3 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

N/A

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Changed

C Low

I None

A High

What should I do?

Patch available

Update Langflow to version 1.9.1

Which compliance frameworks are affected?

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-55450?

### Summary Unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaustion on the server. In adition, in the response, the absolute path of the uploaded file is reported to the attacker, which is an information leak that can assist in chaining other primitives. Tested on commit 2d67402b1dbaefcbce85a244d4a6cd5e4bda1cfe ### Details Code is in `langflow/api/v1/[endpoints.py](http://endpoints.py/)`: ```python @router.post( "/upload/{flow_id}", status_code=HTTPStatus.CREATED, deprecated=True, ) async def create_upload_file( file: UploadFile, flow_id: UUID, ) -> UploadFileResponse: ... ``` As can be seen above, there is no authentication. There is not validation over `flow_id` as well, unlike other endpoints: ``` flow_id_str = str(flow_id) file_path = await asyncio.to_thread(save_uploaded_file, file, folder_name=flow_id_str) ``` Function `save_uploaded_file` saves the file to local file-system. Suggested fix: 1. Add authentication to route. 2. Only return relative path or filename. ### PoC PoC: ```bash curl 'http://localhost:7860/api/v1/upload/<any_uuid>' -F "file=@<any_file>" ``` Example: ```bash # curl 'http://localhost:7860/api/v1/upload/11111111-1111-1111-1111-111111111111' -F "file=@/tmp/dummy.txt" {"flowId":"11111111-1111-1111-1111-111111111111","file_path":"/Users/ori/Library/Caches/langflow/11111111-1111-1111-1111-111111111111/9d63c3b5b7623d1fa3dc7fd1547313b9546c6d0fbbb6773a420613b7a17995c8.txt"} ``` ### Impact 1. Space exhaustion on server that can lead to Denial-of-Service. 2. Information leak - leakage of absolute path of langflow's cache directory in server. ### Patches Fixed in **1.9.1** via PR [#12831](https://github.com/langflow-ai/langflow/pull/12831). The deprecated `POST /api/v1/upload/{flow_id}` endpoint now uses the `get_flow` dependency, requiring an authenticated user and flow ownership (returns `404` for missing or cross-user flows), and enforces the `max_file_size_upload` limit (`HTTP 413`) — closing the unauthenticated upload and disk-exhaustion vectors. Upgrade to **1.9.1 or later**. Note: the response still returns the file's absolute path (`file_path`); after this fix it is only disclosed to the authenticated owner of the flow. Ori Lahav Security Researcher @ Rubrik Inc.

Is CVE-2026-55450 actively exploited?

No confirmed active exploitation of CVE-2026-55450 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-55450?

Update to patched version: Langflow 1.9.1.

What is the CVSS score for CVE-2026-55450?

CVE-2026-55450 has a CVSS v3.1 base score of 9.3 (CRITICAL).

What are the technical details?

Original Advisory

### Summary Unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaustion on the server. In adition, in the response, the absolute path of the uploaded file is reported to the attacker, which is an information leak that can assist in chaining other primitives. Tested on commit 2d67402b1dbaefcbce85a244d4a6cd5e4bda1cfe ### Details Code is in `langflow/api/v1/[endpoints.py](http://endpoints.py/)`: ```python @router.post( "/upload/{flow_id}", status_code=HTTPStatus.CREATED, deprecated=True, ) async def create_upload_file( file: UploadFile, flow_id: UUID, ) -> UploadFileResponse: ... ``` As can be seen above, there is no authentication. There is not validation over `flow_id` as well, unlike other endpoints: ``` flow_id_str = str(flow_id) file_path = await asyncio.to_thread(save_uploaded_file, file, folder_name=flow_id_str) ``` Function `save_uploaded_file` saves the file to local file-system. Suggested fix: 1. Add authentication to route. 2. Only return relative path or filename. ### PoC PoC: ```bash curl 'http://localhost:7860/api/v1/upload/<any_uuid>' -F "file=@<any_file>" ``` Example: ```bash # curl 'http://localhost:7860/api/v1/upload/11111111-1111-1111-1111-111111111111' -F "file=@/tmp/dummy.txt" {"flowId":"11111111-1111-1111-1111-111111111111","file_path":"/Users/ori/Library/Caches/langflow/11111111-1111-1111-1111-111111111111/9d63c3b5b7623d1fa3dc7fd1547313b9546c6d0fbbb6773a420613b7a17995c8.txt"} ``` ### Impact 1. Space exhaustion on server that can lead to Denial-of-Service. 2. Information leak - leakage of absolute path of langflow's cache directory in server. ### Patches Fixed in **1.9.1** via PR [#12831](https://github.com/langflow-ai/langflow/pull/12831). The deprecated `POST /api/v1/upload/{flow_id}` endpoint now uses the `get_flow` dependency, requiring an authenticated user and flow ownership (returns `404` for missing or cross-user flows), and enforces the `max_file_size_upload` limit (`HTTP 413`) — closing the unauthenticated upload and disk-exhaustion vectors. Upgrade to **1.9.1 or later**. Note: the response still returns the file's absolute path (`file_path`); after this fix it is only disclosed to the authenticated owner of the flow. Ori Lahav Security Researcher @ Rubrik Inc.

Weaknesses (CWE)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Primary CWE-306 Missing Authentication for Critical Function Primary CWE-400 Uncontrolled Resource Consumption Primary

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.