CVE-2026-48520
Summary
by MITRE • 06/23/2026
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.10.0, the "Shareable Playground" (or "Public Flows" in code) contains a potential arbitrary file-read vulnerability, depending on the exact flow configuration used. By making a flow public, public execution of the flow is allowed. The execution request can contain a list of files that gets read by Langflow and fed into the LLM. The files path can be any path supported by the storage - it can be either a local file or S3 path if supported by the local configuration This vulnerability is fixed in 1.10.0.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/23/2026
The Langflow platform presents a critical security vulnerability in its Shareable Playground functionality prior to version 1.10.0, creating a potential arbitrary file read condition that could be exploited by malicious actors. This vulnerability specifically affects the Public Flows feature where users can make their AI workflows accessible to others, enabling public execution of these flows. The flaw stems from insufficient input validation and path sanitization within the file reading mechanism that processes user-provided file paths during flow execution. When a flow is configured as public, any requester can submit execution requests containing file references that Langflow will attempt to read and process for LLM consumption.
The technical implementation of this vulnerability allows attackers to specify arbitrary file paths through the execution request parameters, leveraging the underlying storage abstraction layer that supports multiple backends including local filesystem access and S3-compatible storage systems. This means that an attacker could potentially traverse the filesystem or access sensitive data stored in cloud storage if the system configuration permits such access. The vulnerability essentially removes the security boundaries that should normally prevent unauthorized file access, as the system fails to validate whether the requested file paths are within acceptable bounds or if they constitute valid access requests.
The operational impact of this vulnerability is significant across multiple attack vectors and threat scenarios. An attacker could potentially read sensitive configuration files, database credentials, API keys, or other confidential data stored on the same system where Langflow operates. The vulnerability also enables information disclosure attacks that could reveal system architecture details, file structures, or internal service configurations. This represents a direct violation of the principle of least privilege and could allow for lateral movement within compromised environments or provide attackers with additional attack surface information.
This vulnerability maps directly to CWE-22 - Improper Limitation of a Pathname to a Restricted Directory, which specifically addresses path traversal issues in file access mechanisms. The flaw also aligns with ATT&CK technique T1566.001 - Phishing: Spearphishing Attachment, as attackers could potentially craft malicious flows that read system files and exfiltrate data through the LLM processing pipeline. Additionally, this represents a privilege escalation vector under ATT&CK technique T1078 - Valid Accounts, where an attacker with access to public flow functionality could leverage the arbitrary file reading capability to gain deeper system insights or credentials.
The mitigation strategy involves upgrading to Langflow version 1.10.0 or later, which implements proper input validation and path sanitization mechanisms. Organizations should also implement network-level restrictions on flow execution endpoints, particularly for public flows, and conduct thorough security reviews of all shared workflows. Additional protective measures include implementing strict access controls for the underlying storage systems, monitoring execution requests for suspicious file path patterns, and establishing proper logging and alerting mechanisms to detect potential exploitation attempts. The fix in version 1.10.0 should include comprehensive validation that prevents path traversal attacks while maintaining legitimate functionality for authorized users.