CVE-2026-33309

Langflow is a tool for building and deploying AI-powered agents and workflows. Versions 1.2.0 through 1.8.1 have a bypass of the patch for CVE-2025-68478 (External Control of File Name), leading to the root architectural issue within `LocalStorageService` remaining unresolved. Because the underlying storage layer lacks boundary containment checks, the system relies entirely on the HTTP-layer `ValidatedFileName` dependency. This defense-in-depth failure leaves the `POST /api/v2/files/` endpoint vulnerable to Arbitrary File Write. The multipart upload filename bypasses the path-parameter guard, allowing authenticated attackers to write files anywhere on the host system, leading to Remote Code Execution (RCE). Version 1.9.0 contains an updated fix.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/langflow-ai/langflow/security/advisories/GHSA-g2j9-7rj2-gm6c	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-24 13:16

Updated : 2026-03-24 19:17

NVD link : CVE-2026-33309

Mitre link : CVE-2026-33309

CVE.ORG link : CVE-2026-33309

JSON object : View

Products Affected

langflow

langflow

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-73

External Control of File Name or Path

CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-284

Improper Access Control

{"id": "CVE-2026-33309", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "published": "2026-03-24T13:16:02.983", "references": [{"url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-g2j9-7rj2-gm6c", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-73"}, {"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "Langflow is a tool for building and deploying AI-powered agents and workflows. Versions 1.2.0 through 1.8.1 have a bypass of the patch for CVE-2025-68478 (External Control of File Name), leading to the root architectural issue within `LocalStorageService` remaining unresolved. Because the underlying storage layer lacks boundary containment checks, the system relies entirely on the HTTP-layer `ValidatedFileName` dependency. This defense-in-depth failure leaves the `POST /api/v2/files/` endpoint vulnerable to Arbitrary File Write. The multipart upload filename bypasses the path-parameter guard, allowing authenticated attackers to write files anywhere on the host system, leading to Remote Code Execution (RCE). Version 1.9.0 contains an updated fix."}, {"lang": "es", "value": "Langflow es una herramienta para construir y desplegar agentes y flujos de trabajo impulsados por IA. Las versiones 1.2.0 a 1.8.1 tienen un bypass del parche para CVE-2025-68478 (Control Externo del Nombre de Archivo), lo que lleva a que el problema arquitect\u00f3nico ra\u00edz dentro de 'LocalStorageService' permanezca sin resolver. Debido a que la capa de almacenamiento subyacente carece de comprobaciones de contenci\u00f3n de l\u00edmites, el sistema depende completamente de la dependencia 'ValidatedFileName' de la capa HTTP. Este fallo de defensa en profundidad deja el endpoint 'POST /api/v2/files/' vulnerable a la escritura arbitraria de archivos. El nombre de archivo de la carga multipart omite la protecci\u00f3n del par\u00e1metro de ruta, permitiendo a atacantes autenticados escribir archivos en cualquier lugar del sistema anfitri\u00f3n, lo que lleva a la ejecuci\u00f3n remota de c\u00f3digo (RCE). La versi\u00f3n 1.9.0 contiene una correcci\u00f3n actualizada."}], "lastModified": "2026-03-24T19:17:15.510", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:langflow:langflow:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "54961FCE-8971-4CCF-8E68-7B571195DFCD", "versionEndExcluding": "1.9.0", "versionStartIncluding": "1.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}