CVE-2026-42048

CRITICAL SEVERITY

CVSS Score & Metrics

Base Score

9.6 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H                                    

Vulnerability Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow is vulnerable to Path Traversal in the Knowledge Bases API (DELETE /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are concatenated directly into file paths without proper sanitization or boundary validation. An authenticated attacker can exploit this flaw to delete arbitrary directories anywhere on the server's filesystem, leading to data loss and potential service disruption. This vulnerability is fixed in 1.9.0.

Vulnerability Details

Published Date

May 05, 2026

Last Modified

May 14, 2026

CWE ID

CWE-22

Source

GitHub

Vendor

pip

Product

langflow

External References

https://github.com/langflow-ai/langflow/security/advisories/GHSA-9whx-c884-c68q
https://github.com/advisories/GHSA-9whx-c884-c68q

CVE-2026-42048

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment