CVE-2026-55450

CRITICAL EPSS 22.7%
Published Jun 23, 20266d ago · Modified Jun 24, 20265d ago
9.3 CVSS 3.1
Critical
Find Similar
Published Jun 23, 2026 6d ago
Last Modified Jun 24, 2026 5d ago

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaustion on the server. In addition, in the response, the absolute path of the uploaded file is reported to the attacker, which is an information leak that can assist in chaining other primitives. This vulnerability is fixed in 1.9.1.

CVSS Details

Base Score
9.3
Exploitability
3.9
Impact
4.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality Low
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
22.7% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 3

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure
CWE-306 Missing Authentication for Critical Function Authentication
CWE-400 Uncontrolled Resource Consumption Resource Mgmt

Affected Products 1

VendorProductVersionRange
langflowlangflow* <1.9.1

References 2

  • github.com https://github.com/langflow-ai/langflow/pull/12831
    Issue TrackingPatch
  • github.com https://github.com/langflow-ai/langflow/security/advisories/GHSA-x223-p2gf-v735
    ExploitPatchVendor Advisory

Remediation

  • github.com https://github.com/langflow-ai/langflow/pull/12831
    Issue TrackingPatch
  • github.com https://github.com/langflow-ai/langflow/security/advisories/GHSA-x223-p2gf-v735
    ExploitPatchVendor Advisory