CVE-2026-42048

Langflow · Langflow

Langflow is vulnerable to Path Traversal in the Knowledge Bases API, allowing authenticated attackers to delete arbitrary directories on the server.

Executive summary

A critical path traversal vulnerability in Langflow allows authenticated attackers to perform arbitrary file/directory deletion, threatening system integrity.

Vulnerability

The vulnerability exists in the Knowledge Bases API (DELETE /api/v1/knowledge_bases) where user-supplied input is not sanitized, allowing an authenticated attacker to execute path traversal and delete arbitrary directories.

Business impact

This vulnerability carries a CVSS score of 9.6, reflecting the high impact on system availability and data integrity. An attacker can leverage this to delete critical system files, leading to a complete service disruption (Denial of Service) or the destruction of essential application data, resulting in significant operational downtime.

Remediation

Immediate Action: Update Langflow to version 1.9.0 or later immediately to patch the Knowledge Bases API.

Proactive Monitoring: Monitor API access logs for suspicious DELETE requests targeting unauthorized paths or directory structures outside the intended knowledge base repository.

Compensating Controls: Use a Web Application Firewall (WAF) to inspect and block requests containing path traversal sequences (e.g., "../") directed at the /api/v1/knowledge_bases endpoint.

Exploitation status

Public Exploit Available: Yes (PoC)

Analyst recommendation

Due to the availability of a Proof-of-Concept and the potential for severe operational impact, organizations running Langflow must prioritize updating to version 1.9.0. Ensure that API access is strictly controlled and that all instances are accounted for in the update cycle.