An unauthenticated vulnerability in Langflow allows attackers to trigger server-side storage exhaustion and obtain sensitive file path information, facilitating further attacks.

The application fails to implement proper authentication and rate limiting for file uploads, allowing unauthenticated attackers to flood the server with data. Furthermore, the application exposes the absolute file paths in its responses, providing attackers with critical reconnaissance data.

With a CVSS score of 9.3, this vulnerability represents a severe threat to service availability and system security. The combination of resource exhaustion (Denial of Service) and information disclosure creates an ideal environment for attackers to crash the service or chain this flaw into more complex exploits.

Immediate Action: Update Langflow to version 1.9.1 or later to implement necessary authentication checks and restrict file upload behavior.

Proactive Monitoring: Monitor disk usage and incoming request rates to identify potential DoS attempts or anomalous upload activity.

Compensating Controls: Implement strict network access control lists (ACLs) to ensure the Langflow interface is not exposed to the public internet.

Public Exploit Available: No

This vulnerability is particularly dangerous because it does not require authentication, making it trivial for remote attackers to disrupt services or gather reconnaissance. Organizations should verify that their Langflow instances are not exposed to untrusted networks and apply the 1.9.1 update as the highest priority.