CVE-2026-33497 is a path traversal vulnerability classified under CWE-22, affecting langflow, an AI workflow and agent building tool. The flaw exists in the download_profile_picture function accessed via the /profile_pictures/{folder_name}/{file_name} endpoint. In versions prior to 1.7.1, the parameters folder_name and file_name are not properly sanitized or restricted, allowing an attacker to craft requests that traverse directories outside the intended profile pictures folder. This enables unauthorized reading of arbitrary files on the server, including sensitive files such as secret_key, which could contain credentials or cryptographic keys. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk. The CVSS 4.0 base score is 8.7 (high), reflecting the ease of exploitation and the high confidentiality impact. The vendor addressed the issue in version 1.7.1 by implementing stricter input validation and path restrictions to prevent directory traversal. No public exploits or active exploitation have been reported to date, but the potential impact on confidentiality is significant, especially in environments where langflow is used to manage AI agents with sensitive configurations.

The primary impact of this vulnerability is unauthorized disclosure of sensitive files on servers running vulnerable langflow versions. Exposure of secret keys or configuration files can lead to further compromise, including unauthorized access to backend systems, data exfiltration, or manipulation of AI workflows. Organizations relying on langflow for AI agent deployment may face confidentiality breaches, loss of intellectual property, and potential disruption of AI services. Since the vulnerability requires no authentication and can be exploited remotely, it poses a significant risk to any exposed langflow instance. The scope of affected systems includes all deployments running langflow versions before 1.7.1, particularly those accessible over public or untrusted networks. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits given the public disclosure.

1. Immediately upgrade langflow installations to version 1.7.1 or later, where the vulnerability is patched. 2. If upgrading is not immediately possible, implement network-level controls such as firewall rules or access control lists to restrict access to the /profile_pictures endpoint only to trusted users or internal networks. 3. Conduct a thorough audit of server file permissions to ensure that sensitive files like secret_key are not accessible by the web server user or are stored outside the web root. 4. Implement web application firewall (WAF) rules to detect and block path traversal patterns in HTTP requests targeting the vulnerable endpoint. 5. Review and enhance input validation mechanisms in custom deployments or forks of langflow to enforce strict whitelist filtering of folder_name and file_name parameters. 6. Monitor logs for suspicious access attempts to the /profile_pictures endpoint, especially those containing directory traversal sequences like ../. 7. Educate developers and administrators about secure coding practices related to file path handling to prevent similar vulnerabilities in the future.