Langflow, a platform for building and deploying AI-powered agents and workflows, suffers from a critical path traversal vulnerability identified as CVE-2026-33309. The flaw exists in versions 1.2.0 through 1.8.1 due to an incomplete patch for a previous vulnerability (CVE-2025-68478). The root cause lies in the LocalStorageService component, which lacks proper boundary containment checks on file paths. Instead, it relies entirely on the HTTP-layer ValidatedFileName mechanism to prevent malicious file path inputs. However, this validation can be bypassed during multipart file uploads to the POST /api/v2/files/ endpoint, allowing authenticated attackers to specify arbitrary file paths. This enables arbitrary file write operations anywhere on the host filesystem, potentially leading to remote code execution (RCE) by placing malicious payloads in executable locations. The vulnerability involves multiple CWE categories: CWE-22 (Path Traversal), CWE-73 (External Control of File Name or Path), CWE-94 (Code Injection), and CWE-284 (Improper Access Control). The vulnerability has a CVSS v3.1 base score of 10.0, indicating critical severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacts confidentiality, integrity, and availability with scope change. The issue was resolved in langflow version 1.9.0 with an updated fix that properly enforces boundary checks at the storage layer, preventing path traversal and arbitrary file writes.

This vulnerability poses a severe risk to organizations deploying langflow versions 1.2.0 through 1.8.1. Successful exploitation allows authenticated attackers to write arbitrary files anywhere on the host system, which can lead to remote code execution. This compromises system confidentiality, integrity, and availability, potentially allowing attackers to execute arbitrary commands, install persistent backdoors, or disrupt AI workflow operations. Given langflow’s role in AI agent and workflow deployment, attackers could manipulate AI-driven processes or exfiltrate sensitive data. The critical nature and ease of exploitation (low complexity, no user interaction) mean that threat actors with valid credentials can quickly escalate privileges and gain full system control. This can lead to widespread operational disruption, data breaches, and potential lateral movement within enterprise networks. Organizations relying on langflow for AI automation and orchestration face significant risks until patched.

1. Immediately upgrade langflow installations to version 1.9.0 or later, which contains the updated fix addressing the path traversal and arbitrary file write vulnerability. 2. Restrict access to the POST /api/v2/files/ endpoint to trusted and authenticated users only, employing strong authentication mechanisms such as multi-factor authentication (MFA). 3. Implement network-level segmentation and firewall rules to limit exposure of langflow management interfaces to internal or trusted networks. 4. Monitor logs for unusual file upload activities or attempts to write files outside expected directories. 5. Employ runtime application self-protection (RASP) or host-based intrusion detection systems (HIDS) to detect and block suspicious file system modifications. 6. Conduct regular security audits and code reviews focusing on input validation and boundary checks in custom AI workflow tools. 7. If immediate upgrade is not feasible, consider temporarily disabling or restricting the vulnerable file upload functionality as a stopgap measure. 8. Educate developers and administrators about the risks of relying solely on HTTP-layer validation without enforcing backend boundary checks.