Langflow path traversal flaw (CVE-2026-5027)
Vulnerability
Summary
Hide ▲
Show ▼
Langflow's CVE-2026-5027 is an unpatched path traversal vulnerability that is being actively exploited in the wild. The flaw lets an attacker write files to arbitrary locations and can lead to unauthenticated remote code execution. Exposure is especially concerning because unauthenticated auto-login is enabled by default and roughly 7,000 instances are publicly exposed.
Related Happenings
Langflow and Trend Micro Apex One exploited flaws (multiple vulnerabilities)
Vulnerability
H score44
First: 22.05.2026 08:47
Last: 22.05.2026 08:47
Sources 1
About this happening:
**CISA** added **CVE-2025-34291** in **Langflow** and **CVE-2026-34926** in **Trend Micro Apex One** to the **KEV catalog** after evidence of **active exploitation**. The Langflow...
Langflow and Trend Micro Apex One exploited flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **CISA** added **CVE-2025-34291** in **Langflow** and **CVE-2026-34926** in **Trend Micro Apex One** to the **KEV catalog** after evidence of **active exploitation**. The Langflow...
Langflow missing-authentication code-injection flaw (CVE-2026-33017)
Vulnerability
H score61
First: 20.03.2026 17:15
Last: 20.03.2026 17:15
Sources 1
About this happening:
**Langflow**'s **CVE-2026-33017** was **actively exploited within 20 hours** of disclosure, creating **unauthenticated remote code execution** risk for exposed servers. The flaw c...
Langflow missing-authentication code-injection flaw (CVE-2026-33017)
VulnerabilityAbout this happening: **Langflow**'s **CVE-2026-33017** was **actively exploited within 20 hours** of disclosure, creating **unauthenticated remote code execution** risk for exposed servers. The flaw c...
XWiki cryptocurrency miner deployment via two-pass exploitation
Malware Activity
H score47
First: 29.10.2025 12:53
Last: 29.10.2025 12:53
Sources 1
About this happening:
The **XWiki** exploit activity is now installing a **cryptocurrency miner**, turning **CVE-2025-24893** abuse into direct resource theft on exposed servers. Attackers are using a...
XWiki cryptocurrency miner deployment via two-pass exploitation
Malware ActivityAbout this happening: The **XWiki** exploit activity is now installing a **cryptocurrency miner**, turning **CVE-2025-24893** abuse into direct resource theft on exposed servers. Attackers are using a...
Timeline
-
10.06.2026 18:00 2 articles · 2h ago
Active exploitation targets Langflow CVE-2026-5027
Exploitation ObservedVulnCheck reported on June 10, 2026 that CVE-2026-5027 in Langflow was being actively exploited in the wild, with exploitation efforts appearing to write test files on victim systems. The same reporting said Langflow enables unauthenticated auto-login by default, allowing a single unauthenticated request to reach the vulnerable endpoint, and noted about 7,000 publicly exposed Langflow instances, mostly in North America.
Show sources
- Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE — thehackernews.com — 10.06.2026 18:00
- Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE — thehackernews.com — 10.06.2026 18:00
-
27.03.2026 02:00 1 articles · 2mo ago
Tenable discloses Langflow CVE-2026-5027 path traversal flaw
Initial DisclosureTenable disclosed CVE-2026-5027 in Langflow on March 27, 2026, describing a path traversal issue in the POST /api/v2/files endpoint that fails to sanitize the filename parameter and can let an attacker write files to arbitrary filesystem locations using ../ sequences.
Show sources
- Unpatched Langflow Flaw CVE-2026-5027 Exploited for Unauthenticated RCE — thehackernews.com — 10.06.2026 18:00