CVE-2026-33309
Received Received - Intake
Arbitrary File Write in Langflow LocalStorageService Enables RCE

Publication date: 2026-03-24

Last updated on: 2026-03-24

Assigner: GitHub, Inc.

Description
Langflow is a tool for building and deploying AI-powered agents and workflows. Versions 1.2.0 through 1.8.1 have a bypass of the patch for CVE-2025-68478 (External Control of File Name), leading to the root architectural issue within `LocalStorageService` remaining unresolved. Because the underlying storage layer lacks boundary containment checks, the system relies entirely on the HTTP-layer `ValidatedFileName` dependency. This defense-in-depth failure leaves the `POST /api/v2/files/` endpoint vulnerable to Arbitrary File Write. The multipart upload filename bypasses the path-parameter guard, allowing authenticated attackers to write files anywhere on the host system, leading to Remote Code Execution (RCE). Version 1.9.0 contains an updated fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33309
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
langflow langflow From 1.2.0 (inc) to 1.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33309 is a critical Arbitrary File Write vulnerability in the langflow package versions 1.2.0 through 1.8.1. It arises because the LocalStorageService component does not properly check file path boundaries, allowing an attacker to bypass filename validation.'}, {'type': 'paragraph', 'content': 'Specifically, the vulnerability exists in the POST /api/v2/files/ API endpoint, where the filename from a multipart upload is taken directly from the Content-Disposition header without sanitization. This allows an authenticated attacker to submit filenames containing directory traversal sequences (e.g., "../../") to write files outside the intended storage directory.'}, {'type': 'paragraph', 'content': 'This flaw leads to the possibility of writing arbitrary files anywhere on the host system, including overwriting critical system files or injecting malicious code, ultimately enabling Remote Code Execution (RCE).'}] [1]

Impact Analysis

This vulnerability can have severe impacts as it allows authenticated attackers to write arbitrary files anywhere on the host system.

  • Attackers can overwrite critical system files, potentially destabilizing or compromising the system.
  • Malicious Python code can be injected, leading to Remote Code Execution (RCE), which means attackers can execute arbitrary commands on the host.
  • Attackers can overwrite sensitive files such as .ssh/authorized_keys, enabling persistent unauthorized access.

Overall, this vulnerability poses a critical security risk with a CVSS v3.1 base score of 9.9, indicating high impact on confidentiality, integrity, and availability.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring attempts to exploit the POST /api/v2/files/ endpoint with multipart uploads containing filenames that include directory traversal sequences such as "../".'}, {'type': 'paragraph', 'content': 'A practical detection method is to inspect server logs or network traffic for file upload requests where the filename parameter contains path traversal patterns.'}, {'type': 'paragraph', 'content': 'For example, you can use the following command to search server logs for suspicious filenames:'}, {'type': 'list_item', 'content': "grep -E '\\.\\./|\\.\\.\\\\' /path/to/langflow/logs/access.log"}, {'type': 'paragraph', 'content': 'Additionally, a proof of concept Python script exists that authenticates to the API and uploads a file with a traversal filename to confirm the vulnerability.'}] [1]

Mitigation Strategies

The immediate mitigation steps include upgrading Langflow to version 1.9.0 or later, which contains the updated fix for this vulnerability.

If upgrading is not immediately possible, apply the following mitigations:

  • Sanitize the multipart upload filenames by stripping directory traversal characters before processing. For example, use code to extract only the base filename and reject invalid names.
  • Add a canonical path containment check inside the LocalStorageService.save_file method to ensure the resolved file path is within the allowed base directory.

These steps prevent arbitrary file writes and mitigate the risk of remote code execution via this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33309. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart