CVE-2026-42048
Langflow · Langflow
Langflow is vulnerable to Path Traversal in the Knowledge Bases API, allowing authenticated attackers to delete arbitrary directories on the server.
Executive summary
A critical path traversal vulnerability in Langflow allows authenticated attackers to perform arbitrary file/directory deletion, threatening system integrity.
Vulnerability
The vulnerability exists in the Knowledge Bases API (DELETE /api/v1/knowledge_bases) where user-supplied input is not sanitized, allowing an authenticated attacker to execute path traversal and delete arbitrary directories.
Business impact
This vulnerability carries a CVSS score of 9.6, reflecting the high impact on system availability and data integrity. An attacker can leverage this to delete critical system files, leading to a complete service disruption (Denial of Service) or the destruction of essential application data, resulting in significant operational downtime.
Remediation
Immediate Action: Update Langflow to version 1.9.0 or later immediately to patch the Knowledge Bases API.
Proactive Monitoring: Monitor API access logs for suspicious DELETE requests targeting unauthorized paths or directory structures outside the intended knowledge base repository.
Compensating Controls: Use a Web Application Firewall (WAF) to inspect and block requests containing path traversal sequences (e.g., "../") directed at the /api/v1/knowledge_bases endpoint.
Exploitation status
Public Exploit Available: Yes (PoC)
Analyst recommendation
Due to the availability of a Proof-of-Concept and the potential for severe operational impact, organizations running Langflow must prioritize updating to version 1.9.0. Ensure that API access is strictly controlled and that all instances are accounted for in the update cycle.