AINEWS
Langflow's Default Auto-Login and an Unsanitized Filename: Inside CVE-2026-5027
Default open authentication plus a sanitized input failure turned a path traversal into live exploitation across roughly 7,000 internet exposed instances.
Default open authentication plus a sanitized input failure turned a path traversal into live exploitation across roughly 7,000 internet exposed instances.
When an AI workflow builder ships with authentication disabled by default and an endpoint that accepts attacker-controlled filenames without sanitization, a single HTTP request becomes a remote shell. That combination, not a novel attack class, is what turned CVE-2026-5027 into a live exploit problem across roughly 7,000 internet-exposed Langflow instances, per SecurityWeek's reporting on VulnCheck's findings.
The bug itself is a textbook path traversal. Langflow's POST /api/v2/files endpoint does not sanitize the "filename" field in the multipart upload, so an attacker can walk up the directory tree with ../ sequences and write attacker-chosen content to arbitrary locations on disk. NIST scored the flaw CVSS 8.8 and classified it as CWE-22, a category that has been a fixture of security advisories for two decades.
What made this case different is the second ingredient: Langflow ships with unauthenticated auto-login enabled by default. A single request to the platform hands the caller a valid session token. VulnCheck's VP of security research, Caitlin Condon, told SecurityWeek that this default posture is what converts the file-write primitive into unauthenticated remote code execution on a vulnerable deployment. No credentials, no auth bypass, no social engineering: the platform is logged in before the attacker has to do anything.
VulnCheck said it has observed in-the-wild exploitation attempts that used the traversal to drop test files on victim systems. The public record so far stops at that file-drop stage; the RCE capability is asserted by VulnCheck's analysis of the underlying flaw, not by a published exploit chain. That distinction matters. Exploitation is real, observed, and active, but the evidence today is that attackers are staging payloads rather than demonstrating a full kill chain end to end.
The blast radius is not hypothetical. VulnCheck estimates that roughly 7,000 Langflow instances are reachable on the public internet, the majority in North America. That is an exposure estimate, not a compromise count, and it rests on VulnCheck's measurement methodology. It is large enough to be the kind of number that turns a vendor advisory into a defense-wide triage event.
The disclosure timeline is the second part of the story. Tenable originally reported the bug to Langflow on January 20, then again on January 27, February 4, and March 23, according to Tenable's research advisory TRA-2026-26. Each attempt to coordinate a fix privately went unanswered. Tenable disclosed the technical details publicly on March 27 without a vendor patch in place. The fix did not land until Langflow 1.9.0 on June 11, more than four months after the first private report. That is a long window for a default-open internet service to sit on a published unauthenticated file-write primitive.
Langflow is not obscure. The open-source visual builder for AI agents and workflows has reportedly accumulated more than 145,000 GitHub stars and 8,000 forks, a footprint that puts low-code AI development tooling squarely in the category of infrastructure defenders have to think about, rather than fringe experiments. Vendor-side commentary was not available at the time of SecurityWeek's reporting; the only public fix-version statement is the one Tenable's advisory records.
The pattern is familiar. An earlier Langflow RCE, CVE-2026-33017, was mass-exploited roughly 20 hours after public disclosure, with attackers stealing database credentials and API keys for what researchers at Sysdig described as likely supply-chain follow-on. That earlier bug, scored CVSS 9.3, is not the same flaw as CVE-2026-5027 and should not be conflated, but it documents the speed at which low-code AI platforms get turned into commodity exploit infrastructure once the details are public.
Three facts tell defenders what to do. First, any Langflow deployment on a version older than 1.9.0 needs the upgrade and a review of file-system integrity and outbound network behavior, because the gap between disclosure and patch is exactly the window the prior CVE showed attackers to be working in. Second, default-open authentication on developer-facing infrastructure is the structural problem, not the specific bug; the path traversal is a known failure mode, and the auto-login default is what made it immediately exploitable. Third, internet-exposed Langflow instances, however they were deployed, are now part of the active scanning surface, and the assumption that a development tool running on a non-standard port is hidden no longer survives contact with mass exploit traffic.
The honest limitation of the public record is also the watch item. VulnCheck's observation of file-drop activity is not yet a published, independent RCE chain in the wild. If a second researcher or a CISA KEV entry confirms a full post-auth-to-shell chain against CVE-2026-5027 on exposed Langflow instances, the operational posture shifts from "patch and watch" to "treat as compromised and rotate." Until then, the patch is the right move, and the structural question (why a default-open dev platform with hundreds of thousands of users ships that way) is the one the next advisory will likely ask again.