HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-55447Published Modified CNA GitHub_M

CVE-2026-55447: Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, by controlling a files that are digested into the RAG, an attacker can direct the node to read any file on the file-system by absolute path. All components based on BaseFileComponent are vulnerable to the vulnerability. This includes Docling (DoclingInlineComponent), Docling Serve, DoclingRemoteComponent), Read File (FileComponent), NVIDIA Retriever Extraction (NvidiaIngestComponent), Video File (VideoFileComponent), and Unstructured API (UnstructuredComponent). This vulnerability is fixed in 1.9.2.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An arbitrary file read vulnerability with remote code execution potential affects Langflow, the AI agent and workflow builder, in all versions before 1.9.2. The flaw is reachable over the network without authentication, but requires a victim to interact with a malicious file fed into a Retrieval-Augmented Generation (RAG) pipeline; any component built on BaseFileComponent is affected, including Docling, Read File, NVIDIA Retriever Extraction, Video File, and Unstructured API nodes. Successful exploitation lets an attacker read any file on the host filesystem by absolute path and, in documented attack chains, pivot to remote code execution. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment version 1.9.2 or a later fix is confirmed upstream.

HarborGuard Coverage

Detection

Detection of CVE-2026-55447 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI pipelines, including custom-built Langflow-derived images. Any image carrying a langflow package version below 1.9.2 is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 9.6 Critical and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the team inbox configured for the affected workload within each customer organization, with exploitability context attached.

Available
Patch

Because no fix version has been confirmed upstream at the time of publication, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment version 1.9.2 is confirmed. For customers with auto-remediation enabled, the rebuild, regression-test run, and a PR opened against affected workloads will be triggered without manual intervention as soon as the upstream fix is verified.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable Langflow service must be reachable over the network; an attacker submits a crafted file to a RAG pipeline endpoint exposed on the network.

  • AuthenticationNot required

    No credentials or account are required to reach the affected endpoint and deliver a malicious payload.

  • Victim interactionRequired

    A user or automated pipeline process must ingest the attacker-controlled file into a BaseFileComponent-based node, making this a social-engineering or supply-chain vector.

  • Attack complexityDetail

    Exploitation is reliable and condition-free once a malicious file is accepted; no race conditions or special memory layout are needed.

Blast Radius

  • Reads arbitrary files from the host filesystem by absolute path, including secrets, credentials, environment files, and private keys accessible to the Langflow process.
  • Modifies or exfiltrates data processed by downstream RAG pipeline components, corrupting AI agent outputs or leaking retrieved document contents.
  • In documented exploit chains, achieves remote code execution on the host running the Langflow service.
  • Disrupts availability of the Langflow service and connected agent workflows if the attacker chooses to crash or exhaust resources on the host.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix version is confirmed at time of publication, HarborGuard continuously re-checks the advisory on every ingest cycle and will surface a patched-image rebuild the moment version 1.9.2 is verified. In the interim, compensating controls available to customers include network-policy isolation to restrict which internal services can reach Langflow RAG endpoints, egress filtering to limit outbound access from Langflow containers, and feature-flag or deployment gating to disable BaseFileComponent-based nodes (Docling, Read File, NVIDIA Retriever Extraction, Video File, Unstructured API) in environments that do not require them. For customers with auto-remediation enabled, the full rebuild plus regression-test run plus PR flow against affected workloads will trigger automatically once the upstream fix is published, with median time from CVE publication to merged patch PR for critical-severity issues around 90 minutes in those environments.

See how HarborGuard automates this
Affected packages
  • langflow-ai / langflow
    < 1.9.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References