CVE-2026-8859: Langflow: path traversal writes arbitrary files
CRITICALIBM's Langflow OSS agent-building framework ships an APIRequest component whose optional "Save to File" feature trusts the Content-Disposition filename returned by whatever HTTP endpoint a flow calls, letting a malicious or compromised external server inject "../" sequences and write attacker-controlled content anywhere the Langflow process can reach on disk. This is critical (CVSS 9.9, network vector, no user interaction, scope change) because Langflow flows routinely call third-party APIs, webhooks, or externally-supplied URLs as part of agent tool use — any flow that points APIRequest at an untrusted, compromised, or SSRF-able endpoint hands a remote attacker arbitrary file write on the host. There's no CISA KEV listing, no published EPSS score, and no public PoC or Nuclei template found, so this looks pre-exploitation rather than actively weaponized right now — but a 9.9 arbitrary-write bug in a widely deployed open-source agent framework is a prime target for reverse-engineering once the vendor patch diff circulates. Upgrade past 1.10.0 immediately, disable "Save to File" on APIRequest components until patched, and audit existing flows for any URL fed to that component that isn't fully trusted.
What is the risk?
CVSS 9.9 reflects the worst-case combination: network-reachable, low attack complexity, only low privileges required (an authenticated user able to build or trigger a flow), no user interaction, and full compromise of confidentiality, integrity, and availability once the write lands somewhere sensitive (webroot, cron, systemd unit, application config/credentials). The gating factor is that the attacker needs the flow to call an endpoint they control or have compromised — this is not a pure unauthenticated network exploit, but Langflow's core use case (calling external APIs and tools) makes that condition easy to satisfy via a look-alike or SSRF-reachable endpoint. No KEV listing, EPSS score, or public exploit/scanner exists yet, so treat this as high-severity-but-not-yet-weaponized: patch before it becomes a commodity target rather than reacting after exploitation is observed.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Langflow | pip | — | No patch |
Do you use Langflow? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
Upgrade Langflow past the affected 1.0.0-1.10.0 range to the patched release referenced in IBM's advisory. Until patched, disable the "Save to File" option on all APIRequest components as a workaround. Restrict Langflow's outbound network access with an allowlist of trusted destinations to reduce SSRF-adjacent exposure. Run the Langflow process containerized with least-privilege filesystem permissions and a read-only root filesystem outside the designated temp directory, so even an unsanitized write has nowhere sensitive to land. Audit existing flows for APIRequest nodes pointed at externally-influenced or untrusted URLs. Add file-integrity monitoring (auditd/FIM) around Langflow's working and temp directories to detect unexpected writes outside the sandboxed path.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-8859?
IBM's Langflow OSS agent-building framework ships an APIRequest component whose optional "Save to File" feature trusts the Content-Disposition filename returned by whatever HTTP endpoint a flow calls, letting a malicious or compromised external server inject "../" sequences and write attacker-controlled content anywhere the Langflow process can reach on disk. This is critical (CVSS 9.9, network vector, no user interaction, scope change) because Langflow flows routinely call third-party APIs, webhooks, or externally-supplied URLs as part of agent tool use — any flow that points APIRequest at an untrusted, compromised, or SSRF-able endpoint hands a remote attacker arbitrary file write on the host. There's no CISA KEV listing, no published EPSS score, and no public PoC or Nuclei template found, so this looks pre-exploitation rather than actively weaponized right now — but a 9.9 arbitrary-write bug in a widely deployed open-source agent framework is a prime target for reverse-engineering once the vendor patch diff circulates. Upgrade past 1.10.0 immediately, disable "Save to File" on APIRequest components until patched, and audit existing flows for any URL fed to that component that isn't fully trusted.
Is CVE-2026-8859 actively exploited?
No confirmed active exploitation of CVE-2026-8859 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-8859?
Upgrade Langflow past the affected 1.0.0-1.10.0 range to the patched release referenced in IBM's advisory. Until patched, disable the "Save to File" option on all APIRequest components as a workaround. Restrict Langflow's outbound network access with an allowlist of trusted destinations to reduce SSRF-adjacent exposure. Run the Langflow process containerized with least-privilege filesystem permissions and a read-only root filesystem outside the designated temp directory, so even an unsanitized write has nowhere sensitive to land. Audit existing flows for APIRequest nodes pointed at externally-influenced or untrusted URLs. Add file-integrity monitoring (auditd/FIM) around Langflow's working and temp directories to detect unexpected writes outside the sandboxed path.
What systems are affected by CVE-2026-8859?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, RAG pipelines, tool-calling / agent orchestration, low-code AI workflow builders.
What is the CVSS score for CVE-2026-8859?
CVE-2026-8859 has a CVSS v3.1 base score of 9.9 (CRITICAL).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0049 Exploit Public-Facing Application AML.T0053 AI Agent Tool Invocation Compliance Controls Affected
What are the technical details?
Original Advisory
IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to write arbitrary files to unintended locations due to improper input validation in the APIRequest component. A path traversal vulnerability exists when the "Save to File" feature is enabled, where filenames extracted from HTTP response Content-Disposition headers are not sanitized before being joined to the temporary directory path. An attacker controlling an external HTTP server can supply crafted filename values containing path traversal sequences (e.g., ../), enabling arbitrary file writes to locations accessible by the Langflow process.
Exploitation Scenario
An attacker stands up (or compromises) an HTTP endpoint that a target's Langflow flow calls via an APIRequest component with "Save to File" enabled — this could be a legitimate-looking third-party API added by the flow author, a webhook target, or a URL reachable through SSRF from another component in the pipeline. When the flow runs, the attacker's server responds with a header such as `Content-Disposition: attachment; filename="../../../../var/www/html/shell.php"` (or a path targeting a cron job or systemd unit). Langflow joins this unsanitized filename to its temp directory path and writes the attacker's response body there, dropping a webshell, overwriting a scheduled task, or corrupting configuration/credential files — giving the attacker code execution or persistence on the host running Langflow.
Weaknesses (CWE)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Primary
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2026-10561 10.0 Langflow: auth bypass + unauthenticated RCE (CVSS 10)
Same package: langflow CVE-2026-10134 10.0 Langflow: unauthenticated RCE via tool_code injection
Same package: langflow CVE-2026-33309 9.9 langflow: Path Traversal enables file access
Same package: langflow CVE-2026-55255 9.9 Langflow: IDOR allows cross-user flow execution
Same package: langflow CVE-2026-7873 9.9 Langflow: authenticated RCE enables credential theft
Same package: langflow