CVE-2026-6596: Langflow unauthenticated file upload

Q: Is CVE-2026-6596 actively exploited?

No confirmed active exploitation of CVE-2026-6596 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-6596?

1. Patch immediately: upgrade langflow-base to 1.9.1 or later — this is the only complete fix. 2. Network controls: restrict Langflow API access to trusted IP ranges; the /api/v1/files/upload endpoint must not be exposed to the public internet. 3. Authentication enforcement: deploy Langflow behind an authenticated reverse proxy (API gateway, VPN, or identity-aware proxy) as defense-in-depth. 4. Detection: audit web server and application logs for POST requests to /api/v1/files/upload from unexpected sources or containing non-standard file types (.py, .sh, .php, .exe). 5. Credential rotation: if exposure is suspected, immediately rotate all LLM API keys (OpenAI, Anthropic, etc.) and database credentials accessible from the Langflow environment. 6. Reference the public PoC at the GitHub gist (chenhouser2025) to understand exact exploit mechanics for detection rule development.

Q: What systems are affected by CVE-2026-6596?

This vulnerability affects the following AI/ML architecture patterns: LLM application builders using Langflow, Agent frameworks, RAG pipelines, AI development environments, Model serving pipelines connected to Langflow.

Q: What is the CVSS score for CVE-2026-6596?

CVE-2026-6596 has a CVSS v3.1 base score of 7.3 (HIGH). The EPSS exploitation probability is 0.28%.

CISO Take

CVE-2026-6596 is an unauthenticated unrestricted file upload vulnerability in Langflow's API endpoint (create_upload_file), meaning any network-reachable Langflow instance can be exploited without credentials to upload arbitrary files. Despite a low raw EPSS score, this sits in the top 85th percentile of exploitation likelihood, a public proof-of-concept exploit is already circulating on GitHub, and Langflow carries a package risk score of 77/100 with 40 prior CVEs — making this a high-confidence attack target for opportunistic actors. Any AI development or production environment running Langflow ≤ 1.1.0 (langflow-base < 1.9.1) is exposed; because Langflow orchestrates LLM workflow execution, a successful upload can enable remote code execution within AI pipelines and exfiltration of LLM API keys, vector database credentials, or sensitive model artifacts. Patch immediately to langflow-base 1.9.1, restrict Langflow API access to trusted networks, and audit upload endpoint logs for unexpected file types.

Sources: NVD EPSS GitHub Advisory ATLAS

What is the risk?

High risk. The vulnerability is trivially exploitable — no authentication, no user interaction, low attack complexity, and a public proof-of-concept is already available. The unauthenticated network attack vector means automated mass scanning and exploitation is plausible for any internet-facing Langflow instance. While not in CISA KEV (SSVC: TRACK_STAR), the combination of an existing PoC, a package with 40 prior CVEs, and zero downstream dependents (suggesting direct enterprise deployments rather than transitive exposure) elevates real-world risk significantly. Organizations using Langflow in AI production pipelines are at immediate risk of full environment compromise.

How does the attack unfold?

Reconnaissance

Adversary identifies internet-exposed Langflow instances via Shodan or Censys by fingerprinting default Langflow service banners and port patterns.

AML.T0006

Initial Access

Adversary sends an unauthenticated HTTP POST to /api/v1/files/upload containing a malicious payload (Python script or web shell), exploiting the missing access control in create_upload_file.

AML.T0049

Execution

Uploaded malicious file is triggered via Langflow's custom component system or workflow execution engine, achieving RCE in the AI runtime context.

AML.T0050

Credential Access & Exfiltration

Adversary extracts LLM API keys, vector database credentials, and AI model artifacts from the runtime environment, then pivots to connected AI infrastructure.

AML.T0055

Reconnaissance

Adversary identifies internet-exposed Langflow instances via Shodan or Censys by fingerprinting default Langflow service banners and port patterns.

AML.T0006

Initial Access

Adversary sends an unauthenticated HTTP POST to /api/v1/files/upload containing a malicious payload (Python script or web shell), exploiting the missing access control in create_upload_file.

AML.T0049

Execution

Uploaded malicious file is triggered via Langflow's custom component system or workflow execution engine, achieving RCE in the AI runtime context.

AML.T0050

Credential Access & Exfiltration

Adversary extracts LLM API keys, vector database credentials, and AI model artifacts from the runtime environment, then pivots to connected AI infrastructure.

AML.T0055

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
Langflow	pip	—	No patch
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →
Langflow	pip	< 0.9.1	`0.9.1`
149.9K Pushed 3d ago 40% patched ~67d to patch Full package profile →

How severe is it?

CVSS 3.1

7.3 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 20% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C Low

I Low

A Low

What should I do?

6 steps

Patch immediately: upgrade langflow-base to 1.9.1 or later — this is the only complete fix.
Network controls: restrict Langflow API access to trusted IP ranges; the /api/v1/files/upload endpoint must not be exposed to the public internet.
Authentication enforcement: deploy Langflow behind an authenticated reverse proxy (API gateway, VPN, or identity-aware proxy) as defense-in-depth.
Detection: audit web server and application logs for POST requests to /api/v1/files/upload from unexpected sources or containing non-standard file types (.py, .sh, .php, .exe).
Credential rotation: if exposure is suspected, immediately rotate all LLM API keys (OpenAI, Anthropic, etc.) and database credentials accessible from the Langflow environment.
Reference the public PoC at the GitHub gist (chenhouser2025) to understand exact exploit mechanics for detection rule development.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Framework Agent AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.2 - AI system design and development security A.9.3 - Controls for AI system use

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain value of deployed AI systems

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2026-6596?

CVE-2026-6596 is an unauthenticated unrestricted file upload vulnerability in Langflow's API endpoint (create_upload_file), meaning any network-reachable Langflow instance can be exploited without credentials to upload arbitrary files. Despite a low raw EPSS score, this sits in the top 85th percentile of exploitation likelihood, a public proof-of-concept exploit is already circulating on GitHub, and Langflow carries a package risk score of 77/100 with 40 prior CVEs — making this a high-confidence attack target for opportunistic actors. Any AI development or production environment running Langflow ≤ 1.1.0 (langflow-base < 1.9.1) is exposed; because Langflow orchestrates LLM workflow execution, a successful upload can enable remote code execution within AI pipelines and exfiltration of LLM API keys, vector database credentials, or sensitive model artifacts. Patch immediately to langflow-base 1.9.1, restrict Langflow API access to trusted networks, and audit upload endpoint logs for unexpected file types.

Is CVE-2026-6596 actively exploited?

No confirmed active exploitation of CVE-2026-6596 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-6596?

1. Patch immediately: upgrade langflow-base to 1.9.1 or later — this is the only complete fix. 2. Network controls: restrict Langflow API access to trusted IP ranges; the /api/v1/files/upload endpoint must not be exposed to the public internet. 3. Authentication enforcement: deploy Langflow behind an authenticated reverse proxy (API gateway, VPN, or identity-aware proxy) as defense-in-depth. 4. Detection: audit web server and application logs for POST requests to /api/v1/files/upload from unexpected sources or containing non-standard file types (.py, .sh, .php, .exe). 5. Credential rotation: if exposure is suspected, immediately rotate all LLM API keys (OpenAI, Anthropic, etc.) and database credentials accessible from the Langflow environment. 6. Reference the public PoC at the GitHub gist (chenhouser2025) to understand exact exploit mechanics for detection rule development.

What systems are affected by CVE-2026-6596?

This vulnerability affects the following AI/ML architecture patterns: LLM application builders using Langflow, Agent frameworks, RAG pipelines, AI development environments, Model serving pipelines connected to Langflow.

What is the CVSS score for CVE-2026-6596?

CVE-2026-6596 has a CVSS v3.1 base score of 7.3 (HIGH). The EPSS exploitation probability is 0.28%.

What is the AI security impact?

Affected AI Architectures

LLM application builders using LangflowAgent frameworksRAG pipelinesAI development environmentsModel serving pipelines connected to Langflow

MITRE ATLAS Techniques

AML.T0037 Data from Local System

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.2, A.9.3

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function create_upload_file of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Exploitation Scenario

An adversary scans internet-facing infrastructure via Shodan or Censys to identify Langflow instances running on default ports. Without any credentials, they send an HTTP POST request to /api/v1/files/upload with a malicious Python script or web shell embedded in a legitimate-looking filename. Due to CWE-434 (unrestricted upload) and CWE-284 (improper access control), the server accepts and stores the file. The attacker then triggers execution through Langflow's workflow engine — for example, by creating a custom component referencing the uploaded file — achieving RCE in the Langflow process context. This process typically runs with environment variables containing LLM API keys, vector database credentials, and internal network access, enabling full AI environment compromise and lateral movement to connected downstream services.

Weaknesses (CWE)

CWE-284 Improper Access Control Primary CWE-284 Improper Access Control Primary CWE-434 Unrestricted Upload of File with Dangerous Type Primary

CWE-284 — Improper Access Control: The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

[Architecture and Design, Operation] Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.
[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.