{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5027", "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "state": "PUBLISHED", "assignerShortName": "tenable", "dateReserved": "2026-03-27T14:51:30.515Z", "datePublished": "2026-03-27T14:54:53.609Z", "dateUpdated": "2026-03-27T15:11:42.918Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "shortName": "tenable", "dateUpdated": "2026-03-27T14:54:53.609Z"}, "title": "Langflow - Path Traversal Arbitrary File Write via upload_user_file", "datePublic": "2026-03-27T16:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory", "type": "CWE"}]}], "affected": [{"vendor": "langflow-ai", "product": "langflow", "repo": "https://github.com/langflow-ai/langflow", "versions": [{"status": "affected", "version": "0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../').", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../').</p>"}]}], "references": [{"url": "https://www.tenable.com/security/research/tra-2026-26"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T15:11:19.967941Z", "id": "CVE-2026-5027", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T15:11:42.918Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5027", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T15:11:19.967941Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T15:11:27.738Z"}}], "cna": {"title": "Langflow - Path Traversal Arbitrary File Write via upload_user_file", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/langflow-ai/langflow", "vendor": "langflow-ai", "product": "langflow", "versions": [{"status": "affected", "version": "0", "versionType": "custom"}], "defaultStatus": "unaffected"}], "datePublic": "2026-03-27T16:00:00.000Z", "references": [{"url": "https://www.tenable.com/security/research/tra-2026-26"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../').", "supportingMedia": [{"type": "text/html", "value": "<p>The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../').</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory"}]}], "providerMetadata": {"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "shortName": "tenable", "dateUpdated": "2026-03-27T14:54:53.609Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5027", "state": "PUBLISHED", "dateUpdated": "2026-03-27T15:11:42.918Z", "dateReserved": "2026-03-27T14:51:30.515Z", "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "datePublished": "2026-03-27T14:54:53.609Z", "assignerShortName": "tenable"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../')."}], "id": "CVE-2026-5027", "lastModified": "2026-03-30T13:26:29.793", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "vulnreport@tenable.com", "type": "Secondary"}]}, "published": "2026-03-27T15:17:04.743", "references": [{"source": "vulnreport@tenable.com", "url": "https://www.tenable.com/security/research/tra-2026-26"}], "sourceIdentifier": "vulnreport@tenable.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "vulnreport@tenable.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "langflow", "source": "cna", "vendor": "langflow-ai"}, "product": "langflow", "vendor": "langflow"}], "analysis": {"en": {"generated_at": "2026-03-27T16:20:25.248957+00:00", "value": {"mitigation_remediation": ["Check for and apply any vendor\u2011provided patch or update for Langflow.", "If a patch is not immediately available, configure the application to reject filenames containing traversal sequences such as \"../\".", "Restrict the upload endpoint to write only within a dedicated, non\u2011critical directory and enforce strict permissions.", "Implement server\u2011side logging to detect unauthorized file write attempts and alert administrators.", "Consider disabling the file upload feature if it is not essential to the deployment."], "summary": {"action": "Immediate Patch", "impact": "Remote File Write"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Langflow product by langflow\u2011ai. Any deployment exposing the POST /api/v2/files endpoint without proper filename sanitization is susceptible. No specific version numbers were supplied, so the impact may apply to all currently supported releases.", "description_and_impact": "A path traversal flaw in the file upload endpoint allows an attacker to write files to any location on the host filesystem. The flaw enables creation or modification of system files, potentially allowing malicious code injection or alteration of configuration files. This violates the integrity principle and could be used to execute arbitrary code, leading to full system compromise.", "risk_and_exploitability": "The CVSS score of 8.8 classifies the issue as high severity. EPSS data is unavailable, but the absence from the KEV catalog does not preclude exploitation. The likely attack path involves sending a crafted multipart/form-data request to the upload endpoint; while authentication requirements are not explicitly stated, the lack of sanitization suggests that an attacker could leverage the flaw even with limited privileges. Exfiltration or planting of malicious files could lead to system compromise."}}}}, "created": "2026-03-27T20:28:19.661798+00:00", "updated": "2026-03-30T07:59:36.357253+00:00", "vendors": ["langflow", "langflow$PRODUCT$langflow"]}