A critical and unpatched security vulnerability within the open-source AI development platform Langflow is actively being exploited by attackers. The flaw, cataloged as CVE-2026-5027, allows threat actors to write files to arbitrary locations on a victim’s system, posing a significant risk to users of the popular low-code AI tool. This exploitation highlights increasing targeting of infrastructure used for building artificial intelligence applications.
The vulnerability, which carries a CVSS score of 8.8, stems from a lack of proper sanitization for the ‘filename’ parameter in the ‘POST /api/v2/files’ endpoint. This oversight enables attackers to bypass security measures by utilizing path traversal sequences, such as “../”, to gain unauthorized file write access. The severity of this path traversal vulnerability means remote code execution is a distinct possibility.
Active Exploitation of Langflow Vulnerability
Research by VulnCheck indicates that cybercriminals are actively weaponizing CVE-2026-5027. Initial exploitation efforts observed involve the placement of test files on compromised systems. This trend of exploiting Langflow vulnerabilities has been escalating throughout 2026, with several other critical flaws, including CVE-2026-0770, CVE-2026-33017, CVE-2026-21445, and CVE-2025-34291, also coming under attack. Notably, CVE-2025-34291 was previously linked to exploitation by the Iranian state-sponsored hacking group MuddyWater.
Tenable, the cybersecurity firm that initially discovered the flaw, attempted to notify Langflow project maintainers multiple times in January and February 2026 before publicly disclosing the vulnerability on March 27. The ease of exploitation is further amplified by Langflow’s default unauthenticated auto-login functionality, meaning attackers require no credentials to access the vulnerable endpoint.
Implications for AI Development Tools
“Because Langflow enables unauthenticated auto-login by default, no credentials are required to reach the vulnerable endpoint, and a single unauthenticated request is sufficient to obtain a valid session token before proceeding with exploitation,” explained Caitlin Condon, vice president of security research at VulnCheck. This indicates a low barrier to entry for attackers targeting this specific vulnerability.
Data from network security firm Censys reveals that approximately 7,000 instances of Langflow are publicly accessible on the internet, with a significant concentration in North America. The ongoing exploitation of Langflow vulnerabilities, including this latest critical path traversal flaw, underscores a growing trend where attackers are increasingly focusing their efforts on the tools and infrastructure that organizations rely upon to develop and deploy artificial intelligence applications. This strategic shift signifies a broader move to disrupt or compromise the AI development pipeline.
The active exploitation of this high-severity unpatched security flaw in Langflow means that users of the platform are currently at risk. The absence of a patch leaves instances exposed to potential compromise. Further development and monitoring by the Langflow project maintainers are anticipated, with the expectation of a security patch to address CVE-2026-5027 in the near future. Organizations utilizing Langflow should remain vigilant and prioritize applying any available security updates as soon as they are released to mitigate these risks.