CVE-2026-8859: Langflow: path traversal writes arbitrary files

CRITICAL
Published July 17, 2026
CISO Take

IBM's Langflow OSS agent-building framework ships an APIRequest component whose optional "Save to File" feature trusts the Content-Disposition filename returned by whatever HTTP endpoint a flow calls, letting a malicious or compromised external server inject "../" sequences and write attacker-controlled content anywhere the Langflow process can reach on disk. This is critical (CVSS 9.9, network vector, no user interaction, scope change) because Langflow flows routinely call third-party APIs, webhooks, or externally-supplied URLs as part of agent tool use — any flow that points APIRequest at an untrusted, compromised, or SSRF-able endpoint hands a remote attacker arbitrary file write on the host. There's no CISA KEV listing, no published EPSS score, and no public PoC or Nuclei template found, so this looks pre-exploitation rather than actively weaponized right now — but a 9.9 arbitrary-write bug in a widely deployed open-source agent framework is a prime target for reverse-engineering once the vendor patch diff circulates. Upgrade past 1.10.0 immediately, disable "Save to File" on APIRequest components until patched, and audit existing flows for any URL fed to that component that isn't fully trusted.

Sources: NVD IBM Support Advisory ATLAS

What is the risk?

CVSS 9.9 reflects the worst-case combination: network-reachable, low attack complexity, only low privileges required (an authenticated user able to build or trigger a flow), no user interaction, and full compromise of confidentiality, integrity, and availability once the write lands somewhere sensitive (webroot, cron, systemd unit, application config/credentials). The gating factor is that the attacker needs the flow to call an endpoint they control or have compromised — this is not a pure unauthenticated network exploit, but Langflow's core use case (calling external APIs and tools) makes that condition easy to satisfy via a look-alike or SSRF-reachable endpoint. No KEV listing, EPSS score, or public exploit/scanner exists yet, so treat this as high-severity-but-not-yet-weaponized: patch before it becomes a commodity target rather than reacting after exploitation is observed.

How does the attack unfold?

Infrastructure setup
Attacker stands up or compromises an HTTP server that a target's Langflow flow is configured to call via the APIRequest component with "Save to File" enabled.
AML.T0008
Malicious response
When the flow executes and calls the endpoint, the attacker's server returns a crafted Content-Disposition header containing path traversal sequences (e.g. ../../).
AML.T0053
Arbitrary file write
Langflow fails to sanitize the header-derived filename and joins it to the temp directory path, writing the attacker's response body to an arbitrary filesystem location.
Host compromise
The attacker-controlled file (webshell, cron job, or overwritten config/credentials) is used to achieve code execution or persistence on the machine running Langflow.
AML.T0112

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Langflow pip No patch
151.7K Pushed 5d ago 31% patched ~70d to patch Full package profile →

Do you use Langflow? You're affected.

How severe is it?

CVSS 3.1
9.9 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I High
A High

What should I do?

1 step
  1. Upgrade Langflow past the affected 1.0.0-1.10.0 range to the patched release referenced in IBM's advisory. Until patched, disable the "Save to File" option on all APIRequest components as a workaround. Restrict Langflow's outbound network access with an allowlist of trusted destinations to reduce SSRF-adjacent exposure. Run the Langflow process containerized with least-privilege filesystem permissions and a read-only root filesystem outside the designated temp directory, so even an unsanitized write has nowhere sensitive to land. Audit existing flows for APIRequest nodes pointed at externally-influenced or untrusted URLs. Add file-integrity monitoring (auditd/FIM) around Langflow's working and temp directories to detect unexpected writes outside the sandboxed path.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
NIST AI RMF
MEASURE 2.7 - AI system security and resilience are evaluated and documented
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-8859?

IBM's Langflow OSS agent-building framework ships an APIRequest component whose optional "Save to File" feature trusts the Content-Disposition filename returned by whatever HTTP endpoint a flow calls, letting a malicious or compromised external server inject "../" sequences and write attacker-controlled content anywhere the Langflow process can reach on disk. This is critical (CVSS 9.9, network vector, no user interaction, scope change) because Langflow flows routinely call third-party APIs, webhooks, or externally-supplied URLs as part of agent tool use — any flow that points APIRequest at an untrusted, compromised, or SSRF-able endpoint hands a remote attacker arbitrary file write on the host. There's no CISA KEV listing, no published EPSS score, and no public PoC or Nuclei template found, so this looks pre-exploitation rather than actively weaponized right now — but a 9.9 arbitrary-write bug in a widely deployed open-source agent framework is a prime target for reverse-engineering once the vendor patch diff circulates. Upgrade past 1.10.0 immediately, disable "Save to File" on APIRequest components until patched, and audit existing flows for any URL fed to that component that isn't fully trusted.

Is CVE-2026-8859 actively exploited?

No confirmed active exploitation of CVE-2026-8859 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-8859?

Upgrade Langflow past the affected 1.0.0-1.10.0 range to the patched release referenced in IBM's advisory. Until patched, disable the "Save to File" option on all APIRequest components as a workaround. Restrict Langflow's outbound network access with an allowlist of trusted destinations to reduce SSRF-adjacent exposure. Run the Langflow process containerized with least-privilege filesystem permissions and a read-only root filesystem outside the designated temp directory, so even an unsanitized write has nowhere sensitive to land. Audit existing flows for APIRequest nodes pointed at externally-influenced or untrusted URLs. Add file-integrity monitoring (auditd/FIM) around Langflow's working and temp directories to detect unexpected writes outside the sandboxed path.

What systems are affected by CVE-2026-8859?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, tool-calling / agent orchestration, low-code AI workflow builders.

What is the CVSS score for CVE-2026-8859?

CVE-2026-8859 has a CVSS v3.1 base score of 9.9 (CRITICAL).

What is the AI security impact?

Affected AI Architectures

agent frameworksRAG pipelinestool-calling / agent orchestrationlow-code AI workflow builders

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 15
NIST AI RMF: MEASURE 2.7
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to write arbitrary files to unintended locations due to improper input validation in the APIRequest component. A path traversal vulnerability exists when the "Save to File" feature is enabled, where filenames extracted from HTTP response Content-Disposition headers are not sanitized before being joined to the temporary directory path. An attacker controlling an external HTTP server can supply crafted filename values containing path traversal sequences (e.g., ../), enabling arbitrary file writes to locations accessible by the Langflow process.

Exploitation Scenario

An attacker stands up (or compromises) an HTTP endpoint that a target's Langflow flow calls via an APIRequest component with "Save to File" enabled — this could be a legitimate-looking third-party API added by the flow author, a webhook target, or a URL reachable through SSRF from another component in the pipeline. When the flow runs, the attacker's server responds with a header such as `Content-Disposition: attachment; filename="../../../../var/www/html/shell.php"` (or a path targeting a cron job or systemd unit). Langflow joins this unsanitized filename to its temp directory path and writes the attacker's response body there, dropping a webshell, overwriting a scheduled task, or corrupting configuration/credential files — giving the attacker code execution or persistence on the host running Langflow.

Weaknesses (CWE)

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Timeline

Published
July 17, 2026
Last Modified
July 17, 2026
First Seen
July 17, 2026

Related Vulnerabilities