CVE-2026-5027
Path Traversal in POST /api/v2/files Allows Arbitrary File Write
Publication date: 2026-03-27
Last updated on: 2026-03-27
Assigner: Tenable Network Security, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langflow | langflow | to 2026-03-27 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-5027 vulnerability affects Langflow and involves a path traversal arbitrary file write issue via the 'upload_user_file' functionality.
Specifically, the 'POST /api/v2/files' endpoint fails to properly sanitize the 'filename' parameter in multipart form data, allowing an attacker to include path traversal sequences such as '../' in the filename.
This flaw enables an attacker to write files to arbitrary locations on the filesystem.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the 'POST /api/v2/files' endpoint accepting a 'filename' parameter that is not sanitized, allowing path traversal sequences like '../' to write files to arbitrary locations.
To detect exploitation attempts on your system or network, you can monitor HTTP POST requests to the '/api/v2/files' endpoint and look for multipart form data where the 'filename' parameter contains path traversal sequences such as '../'.
Example commands to detect such attempts include:
- Using network traffic capture tools like tcpdump or Wireshark to filter HTTP POST requests to '/api/v2/files' and inspect the 'filename' parameter.
- Using grep on web server logs to find suspicious filenames: grep -E "POST /api/v2/files" /var/log/nginx/access.log | grep "filename=.*\.\./"
- Using intrusion detection systems (IDS) or web application firewalls (WAF) to alert on path traversal patterns in POST requests to this endpoint.
What immediate steps should I take to mitigate this vulnerability?
Since no known patch or solution was available at the time of the advisory, immediate mitigation steps focus on reducing exposure and preventing exploitation.
- Restrict access to the vulnerable 'POST /api/v2/files' endpoint by limiting network access to trusted users or IP addresses.
- Implement input validation or filtering at the web server or application firewall level to block requests containing path traversal sequences such as '../' in the 'filename' parameter.
- Monitor logs and network traffic for suspicious activity targeting this endpoint and respond promptly to any detected attempts.
- Consider disabling or restricting the file upload functionality if it is not essential.
How can this vulnerability impact me? :
This vulnerability allows an attacker to write files to arbitrary locations on the server filesystem.
Such an ability can lead to full compromise of confidentiality, integrity, and availability of the affected system.
It can be exploited for remote code execution or other malicious activities, posing a high risk to the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to write files to arbitrary locations on the filesystem, potentially leading to full compromise of confidentiality, integrity, and availability of the affected system.
Such a compromise can result in unauthorized access to sensitive data, disruption of services, and manipulation or destruction of data, which may violate requirements set by common standards and regulations like GDPR and HIPAA that mandate protection of personal and sensitive information.
Therefore, this vulnerability poses a significant risk to compliance with these regulations due to the potential exposure and loss of protected data.