CVE-2026-5027: Langflow | defend.network

What is CVE-2026-5027?

The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../').

CVSS8.8 NVD 3.1

SeverityHIGH

Exploitation In the wild

EPSS<1% · P11

Triage statusActive Exploit

ActionPatch within 48 hours

CVSS vectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWECWE-22

NVD published2026-03-27

NVD last modified2026-03-30

Affected product

Langflow

Remediation Steps

Apply the latest Langflow security patch from the vendor
Review server logs for evidence of file writes to unexpected locations
Validate that arbitrary files cannot be written to the application root or system directories

References

Coverage on defend.network

Vulnerability Priority Report – Week 2 of June 2026 (June 8 – 14)
Langflow RCE exploited, JDY botnet expands U.S. military targeting, npm security hardened (2026-06-11)

🤖 This CVE page is generated by defend.network from NVD, CISA KEV, EPSS, and our verified daily briefings. Severity and exploitation data come from official sources; always verify remediation steps against the official vendor advisory before acting in production.

What is CVE-2026-5027?

Affected product

Remediation Steps

References

Coverage on defend.network

Get Critical CVE Alerts