Langflow RCE Flaw Exposes 7,000 AI Instances
Key insights
- CVE-2026-5027 exploits a filename sanitization failure in Langflow's file upload endpoint, enabling arbitrary filesystem writes without authentication.
- Langflow's default unauthenticated auto-login means roughly 7,000 publicly exposed instances are reachable by attackers with no credentials required.
- Tenable disclosed publicly on March 27, 2026 after three failed contact attempts in January-February 2026, and no patch has been released.
Why this matters
Langflow is a widely used open-source platform for building AI agent applications, so a working unauthenticated RCE against roughly 7,000 publicly exposed instances means attackers can execute arbitrary code on AI development infrastructure with no patch in sight. The three-month gap between Tenable's public disclosure on March 27, 2026 and no available fix as of June 2026 reveals a maintainer-response failure that extends confirmed active exploitation indefinitely. MuddyWater, an Iranian state-sponsored group, already weaponized a related Langflow vulnerability (CVE-2025-34291), confirming the platform is actively targeted by state-sponsored actors beyond opportunistic scanning.
Summary
An unpatched path traversal flaw in Langflow is actively exploited against roughly 7,000 publicly exposed instances, most in North America.
CVE-2026-5027 (CVSS 8.8) targets the POST /api/v2/files endpoint, which fails to sanitize filenames in multipart form data, letting attackers write files anywhere on the filesystem via path traversal. Langflow's default auto-login removes all authentication barriers, giving unauthenticated attackers direct access and enabling remote code execution.
Essentially: (Langflow, Tenable) -- high-severity RCE, no patch available.
- Tenable made three contact attempts in January-February 2026; public disclosure came March 27, 2026.
- Current attacks write test files to victim systems, consistent with active reconnaissance before deeper exploitation.
- MuddyWater, an Iranian state-sponsored group, already weaponized a related flaw, CVE-2025-34291.
No fix is available; the 7,000 exposed instances depend entirely on manual hardening.
Potential risks and opportunities
Risks
- Organizations running Langflow for AI agent development have no patch available as of June 2026, leaving roughly 7,000 reachable instances exposed to unauthenticated RCE indefinitely.
- MuddyWater, which already weaponized CVE-2025-34291, now has a clear path to exploit CVE-2026-5027 for deeper persistence within previously targeted networks.
- Active attacker reconnaissance via test-file writes could escalate to full RCE payloads across the 7,000 North America-heavy exposed instances before any patch ships.
Opportunities
- Tenable, having discovered and publicly disclosed CVE-2026-5027, is positioned to expand its AI dev toolchain security practice as enterprise demand for AI-specific vulnerability research grows.
- Security teams can use this incident as direct justification for network segmentation policies that isolate AI development platforms from production infrastructure.
- Managed AI workflow platforms that enforce authentication by default gain concrete competitive differentiation against self-hosted Langflow in enterprise security evaluations.
What we don't know yet
- Whether Langflow maintainers have committed to a patch timeline as of June 2026, more than two months after public disclosure on March 27, 2026
- What capabilities attackers are establishing beyond the test-file writes Tenable observed, and whether any confirmed intrusions have been attributed to CVE-2026-5027 specifically
- Whether the approximately 7,000 exposed instance count includes cloud-hosted Langflow deployments or only self-hosted instances accessible via public IP
Originally reported by thehackernews.com
Read the original article →Original headline: Unpatched Langflow CVE-2026-5027 (CVSS 8.8) Enables Unauthenticated RCE on AI Dev Platform — 7,000 Exposed Instances Being Actively Exploited