CVE-2026-55447
Awaiting Analysis Awaiting Analysis - Queue
Path Traversal in Langflow Prior to 1.9.2

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, by controlling a files that are digested into the RAG, an attacker can direct the node to read any file on the file-system by absolute path. All components based on BaseFileComponent are vulnerable to the vulnerability. This includes Docling (DoclingInlineComponent), Docling Serve, DoclingRemoteComponent), Read File (FileComponent), NVIDIA Retriever Extraction (NvidiaIngestComponent), Video File (VideoFileComponent), and Unstructured API (UnstructuredComponent). This vulnerability is fixed in 1.9.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-55447
EUVD
EUVD-2026-38513
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
langflow-ai langflow to 1.9.2 (exc)
langflow-ai docling to 1.9.2 (exc)
langflow-ai read_file to 1.9.2 (exc)
nvidia nvidia_ingest to 1.9.2 (exc)
langflow-ai video_file to 1.9.2 (exc)
langflow-ai unstructured to 1.9.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-61 The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-55447 is a critical vulnerability in Langflow versions prior to 1.9.2 that allows an attacker to read arbitrary files on the file system by exploiting symbolic links in malicious TAR archives. The vulnerability exists in multiple components based on BaseFileComponent, such as Read File, Docling, Video File, and others.

The issue arises because the TAR extraction function does not properly reject symlinks or hardlinks, allowing attackers to craft TAR files containing symlinks pointing to sensitive files like Langflow's JWT secret key. When these files are processed, the attacker can access sensitive data.

This vulnerability enables a two-stage attack: first, stealing the JWT secret key to bypass authentication, and second, using a Python interpreter node to execute arbitrary code on the server. The exploit requires minimal user interaction and no special privileges.

The vulnerability was fixed in version 1.9.2 by blocking symlinks and hardlinks during TAR extraction and adding additional defensive checks.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive files on the server, such as secret keys used for authentication.

An attacker can steal the JWT secret key, allowing them to forge authentication tokens and gain administrative access.

With administrative access, the attacker can execute arbitrary code remotely on the server via a Python interpreter node, potentially leading to full system compromise.

The exploit requires minimal user interaction and no special privileges, making it highly dangerous and easy to exploit.

Overall, this vulnerability threatens confidentiality, integrity, and availability of the affected system.

Detection Guidance

This vulnerability can be detected by checking if your Langflow installation is running a version prior to 1.9.2, as all versions before this are vulnerable.

Additionally, detection involves inspecting TAR files uploaded or processed by Langflow components for the presence of symbolic links or hardlinks that point outside the intended extraction directory.

You can manually inspect TAR files for symlinks using commands like:

  • tar -tvf suspicious_archive.tar | grep '^l' # Lists symbolic links in the archive
  • tar -tvf suspicious_archive.tar | grep -E '^(l|h)' # Lists symbolic and hard links

Monitoring for unexpected file reads or accesses to sensitive files such as Langflow's JWT secret key (~/.langflow/secret_key) may also indicate exploitation attempts.

Reviewing logs for unusual TAR file uploads or suspicious activity involving the affected components (FileComponent, DoclingInline/Remote, NvidiaIngest, VideoFile, Unstructured) can help detect exploitation.

Mitigation Strategies

The immediate and most effective mitigation is to upgrade Langflow to version 1.9.2 or later, where the vulnerability is fixed.

The fix in version 1.9.2 blocks symlinks and hardlinks during TAR file extraction and adds defensive checks to prevent arbitrary file reads and remote code execution.

Until you can upgrade, avoid processing or uploading TAR files from untrusted sources, especially those that may contain symbolic or hard links.

Implement monitoring and alerting for suspicious file extraction activities and access to sensitive files like the JWT secret key.

Consider restricting user permissions and network access to limit the impact of potential exploitation.

Compliance Impact

This vulnerability allows unauthorized access to sensitive files on the file system, including secret keys used for authentication, which can lead to data breaches and unauthorized remote code execution.

Such unauthorized access and potential data exposure can violate data protection requirements in common standards and regulations like GDPR and HIPAA, which mandate strict controls over access to sensitive and personal data.

Because the vulnerability enables attackers to steal authentication secrets and execute arbitrary code, it poses a significant risk to confidentiality, integrity, and availability of data, all of which are critical compliance factors.

Organizations using vulnerable versions of Langflow prior to 1.9.2 may fail to meet these regulatory requirements unless they apply the patch and mitigate the risk promptly.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55447. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart