CVE-2026-5027
Received Received - Intake
Path Traversal in POST /api/v2/files Allows Arbitrary File Write

Publication date: 2026-03-27

Last updated on: 2026-03-27

Assigner: Tenable Network Security, Inc.

Description
The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../').
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-03-27
Generated
2026-06-16
AI Q&A
2026-03-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5027
EUVD
EUVD-2026-16668
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
langflow langflow to 2026-03-27 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability allows an attacker to write files to arbitrary locations on the server filesystem.

Such an ability can lead to full compromise of confidentiality, integrity, and availability of the affected system.

It can be exploited for remote code execution or other malicious activities, posing a high risk to the system.

Compliance Impact

The vulnerability allows an attacker to write files to arbitrary locations on the filesystem, potentially leading to full compromise of confidentiality, integrity, and availability of the affected system.

Such a compromise can result in unauthorized access to sensitive data, disruption of services, and manipulation or destruction of data, which may violate requirements set by common standards and regulations like GDPR and HIPAA that mandate protection of personal and sensitive information.

Therefore, this vulnerability poses a significant risk to compliance with these regulations due to the potential exposure and loss of protected data.

Executive Summary

The CVE-2026-5027 vulnerability affects Langflow and involves a path traversal arbitrary file write issue via the 'upload_user_file' functionality.

Specifically, the 'POST /api/v2/files' endpoint fails to properly sanitize the 'filename' parameter in multipart form data, allowing an attacker to include path traversal sequences such as '../' in the filename.

This flaw enables an attacker to write files to arbitrary locations on the filesystem.

Detection Guidance

This vulnerability involves the 'POST /api/v2/files' endpoint accepting a 'filename' parameter that is not sanitized, allowing path traversal sequences like '../' to write files to arbitrary locations.

To detect exploitation attempts on your system or network, you can monitor HTTP POST requests to the '/api/v2/files' endpoint and look for multipart form data where the 'filename' parameter contains path traversal sequences such as '../'.

Example commands to detect such attempts include:

  • Using network traffic capture tools like tcpdump or Wireshark to filter HTTP POST requests to '/api/v2/files' and inspect the 'filename' parameter.
  • Using grep on web server logs to find suspicious filenames: grep -E "POST /api/v2/files" /var/log/nginx/access.log | grep "filename=.*\.\./"
  • Using intrusion detection systems (IDS) or web application firewalls (WAF) to alert on path traversal patterns in POST requests to this endpoint.
Mitigation Strategies

Since no known patch or solution was available at the time of the advisory, immediate mitigation steps focus on reducing exposure and preventing exploitation.

  • Restrict access to the vulnerable 'POST /api/v2/files' endpoint by limiting network access to trusted users or IP addresses.
  • Implement input validation or filtering at the web server or application firewall level to block requests containing path traversal sequences such as '../' in the 'filename' parameter.
  • Monitor logs and network traffic for suspicious activity targeting this endpoint and respond promptly to any detected attempts.
  • Consider disabling or restricting the file upload functionality if it is not essential.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5027. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart