Attackers are actively exploiting CVE-2026-5027, a high-severity path traversal vulnerability in the AI development platform Langflow, to write arbitrary files on exposed servers.
Langflow is an open-source visual platform for building AI applications, AI agents, Retrieval-Augmented Generation (RAG) systems, and MCP-based workflows using a drag-and-drop interface instead of traditional coding.
AI development teams widely use the project, and it has accumulated more than 149,000 stars and 9,200 forks on GitHub.
CVE-2026-5027 is a high-severity path traversal flaw in Langflow's file upload functionality that fails to properly sanitize user-supplied filenames.
"The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('../')," explains Tenable, which discovered the flaw at the start of the year.
