HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-55450Published Modified CNA GitHub_M

CVE-2026-55450: Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaustion on the server. In addition, in the response, the absolute path of the uploaded file is reported to the attacker, which is an information leak that can assist in chaining other primitives. This vulnerability is fixed in 1.9.1.

Metrics

CVSS v3.1
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unrestricted file upload vulnerability in Langflow (the AI agent and workflow builder) allows any unauthenticated attacker reachable over the network to upload arbitrary amounts of data to the server. Successful exploitation exhausts available disk space, disrupting or crashing the service, and the server response leaks the absolute file path of each uploaded file, giving attackers a foothold for chaining further attacks. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability and will surface a patched-image rebuild the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-55450 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Langflow. Any image found running an affected version (langflow below 1.9.1) is flagged immediately.

Available
Triage

HarborGuard is capable of scoring this finding at its published CVSS v3.1 severity of 9.3 (Critical) and weighting it against each environment's compliance policy to determine urgency. Routed alerts are delivered to the appropriate team inbox within each customer organization based on configured escalation rules.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment version 1.9.1 or a later remediated release is confirmed upstream. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention as soon as the fix ships.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Langflow service over the network; no local or physical access is required.

  • AuthenticationNot required

    No credentials or prior account registration are needed; the upload endpoint is fully unauthenticated.

  • Victim interactionNot required

    The attacker acts entirely on their own; no user of the target system needs to click anything or take any action.

  • Attack complexityDetail

    The exploit is straightforward and condition-free: any attacker with network access can trigger it reliably without needing to satisfy race conditions or specific environmental requirements.

Blast Radius

  • Floods the server's storage with attacker-controlled data, exhausting available disk space and crashing or severely degrading the Langflow service for all users.
  • Receives the absolute filesystem path of every uploaded file in the server response, exposing internal directory structure that can be used to locate configuration files, secrets, or other sensitive assets for follow-on attacks.
  • Repeated uploads can be automated with no rate limiting, meaning a single attacker can sustain a denial-of-service condition indefinitely until the vulnerability is mitigated.
  • The path disclosure creates a concrete assist for chaining additional exploits, such as path traversal or local file inclusion attacks if other vulnerabilities exist on the same host.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch has been released, monitoring is active on the Langflow advisory across all ingest cycles. In the meantime, customers are advised to apply compensating controls: isolate Langflow instances behind a network policy that restricts inbound access to trusted sources only, apply egress filtering to limit what the Langflow host can reach externally, and consider disabling or gating the file-upload feature via Langflow's configuration if the deployment does not require it. Where compliance policy permits, HarborGuard will automatically trigger a patched-image rebuild, regression test run, and PR against affected workloads as soon as version 1.9.1 (or a later confirmed fix) is published upstream. Customers who have not enabled auto-remediation will receive a rebuild availability notification and can apply the patch manually through the HarborGuard dashboard.

See how HarborGuard automates this
Affected packages
  • langflow-ai / langflow
    < 1.9.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H
References