CVE-2026-33309 is a critical security vulnerability classified as CWE-22 (Path Traversal) affecting langflow, a tool used for building and deploying AI-powered agents and workflows. The flaw exists in versions 1.2.0 through 1.8.1 due to an architectural deficiency in the LocalStorageService component. Although a previous vulnerability (CVE-2025-68478) was patched, the root cause remained unaddressed: the storage layer lacks internal boundary containment checks and relies solely on an HTTP-layer filename validation mechanism (ValidatedFileName). This defense-in-depth failure allows an authenticated attacker to exploit the POST /api/v2/files/ endpoint by submitting a multipart upload with a crafted filename that bypasses path parameter guards. Consequently, the attacker can write arbitrary files anywhere on the host filesystem. This arbitrary file write can be leveraged to achieve remote code execution (RCE) without requiring user interaction. The vulnerability is severe because it compromises confidentiality, integrity, and availability of the affected system. Version 1.9.0 of langflow contains an updated fix that addresses the underlying architectural issue by implementing proper boundary checks within the storage layer. The CVSS v3.1 base score is 10.0, indicating a critical severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and with scope changed due to impact beyond the vulnerable component.

The impact of CVE-2026-33309 is severe for organizations using langflow versions 1.2.0 to 1.8.1. An attacker with valid authentication credentials can write arbitrary files anywhere on the host system, potentially overwriting critical system or application files. This can lead to remote code execution, allowing attackers to execute malicious code with the privileges of the langflow service. The compromise can result in full system takeover, data theft, destruction, or manipulation of AI workflows and agents. Given langflow's role in AI deployment, attackers could manipulate AI-driven processes, causing operational disruptions or introducing malicious behaviors in AI agents. The vulnerability threatens confidentiality, integrity, and availability, making it a critical risk for organizations relying on langflow for AI automation. Additionally, the ease of exploitation (low complexity, no user interaction) increases the likelihood of targeted attacks once credentials are obtained. The scope extends beyond the application to the underlying host system, amplifying potential damage.

1. Immediate upgrade to langflow version 1.9.0 or later, which contains the updated fix addressing the architectural flaw. 2. Restrict access to the POST /api/v2/files/ endpoint to trusted users and networks only, employing network segmentation and firewall rules. 3. Implement strong authentication and authorization controls to limit who can access the vulnerable endpoint. 4. Monitor file system changes and application logs for unusual file write activities, especially in directories outside expected storage paths. 5. Employ runtime application self-protection (RASP) or host-based intrusion detection systems (HIDS) to detect and block suspicious file operations. 6. Conduct regular security audits and code reviews focusing on input validation and boundary checks in storage components. 7. If immediate upgrade is not possible, consider temporarily disabling the file upload functionality or applying custom patches to enforce boundary checks. 8. Educate developers and administrators about the importance of defense-in-depth and not relying solely on HTTP-layer validation for critical security controls.