CVE-2026-55446
Awaiting Analysis Awaiting Analysis - Queue
Denial of Service in Langflow via Malicious File Upload

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.0.19, an attacker can send a /api/v1/files/upload/ request without any authentication token/cookies and abuse a very long multipart form boundary to make the langflow app unusable for all users for an indefinite amount of time. This vulnerability is fixed in 1.0.19.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-55446
EUVD
EUVD-2026-38515
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
langflow-ai langflow to 1.0.19 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-55446 is a high-severity vulnerability in the Langflow application versions before 1.0.19. It allows an attacker to perform an unauthenticated denial-of-service (DoS) attack by sending a specially crafted POST request to the /api/v1/files/upload/ endpoint.

The attacker abuses the file upload functionality by using an excessively long multipart form boundary string (for example, 1,000,000 hyphens) without providing any authentication token or valid flow ID.

Because the server does not check authentication before processing the request and does not validate the multipart boundary, it consumes excessive resources handling the malformed data, making the application unresponsive for all users indefinitely.

This vulnerability was fixed in version 1.0.19 by adding authentication checks and boundary validation middleware.

Impact Analysis

This vulnerability can impact you by causing a denial-of-service condition on the Langflow application.

An attacker can make the application unusable for all users for an indefinite amount of time by sending unauthenticated requests with malformed multipart boundaries.

The impact is primarily on availability, meaning legitimate users cannot access or use the application while it is overwhelmed by the attack.

Detection Guidance

This vulnerability can be detected by monitoring for unusual POST requests to the /api/v1/files/upload/ endpoint that contain an excessively long multipart form boundary string, such as one with around 1,000,000 hyphens.

A practical detection method is to capture and inspect HTTP traffic to identify such malformed requests that lack authentication tokens or valid flow IDs and have abnormally long boundary strings.

For example, using command-line tools like curl or tcpdump combined with grep or other filtering tools can help detect suspicious requests.

  • Use tcpdump to capture HTTP POST requests to the vulnerable endpoint: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/api/v1/files/upload/'
  • Use curl to simulate or test for the vulnerability by sending a POST request with a very long boundary string: curl -X POST http://<target>/api/v1/files/upload/ -H 'Content-Type: multipart/form-data; boundary=--------------------<very_long_string>' --data-binary @payload

Monitoring server logs for repeated unauthenticated POST requests to this endpoint with abnormal boundary lengths can also help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade the Langflow application to version 1.0.19 or later, where this vulnerability has been fixed.

The fix includes adding authentication checks before processing file upload requests and validating the multipart form boundary to prevent resource exhaustion.

If upgrading immediately is not possible, consider implementing network-level protections such as rate limiting or blocking unauthenticated requests to the /api/v1/files/upload/ endpoint.

Additionally, monitoring and alerting on suspicious POST requests with abnormally long multipart boundaries can help detect and respond to exploitation attempts.

Compliance Impact

This vulnerability allows an unauthenticated attacker to cause a denial-of-service (DoS) condition by overwhelming the Langflow application with malformed file upload requests, making the application unusable for all users indefinitely.

While the vulnerability primarily impacts availability and does not directly involve unauthorized access to sensitive data or data breaches, such a denial-of-service attack could indirectly affect compliance with standards like GDPR or HIPAA by disrupting the availability of services that handle personal or protected health information.

Standards such as GDPR and HIPAA require ensuring the availability and resilience of systems processing personal or health data. An attacker exploiting this vulnerability could cause service outages, potentially violating these availability requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55446. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart