Path Traversal Vulnerability in Langflow AI Tool by Langflow
CVE-2026-42048

9.6CRITICAL

Key Information:

Vendor: Langflow-ai
Status: Langflow
Vendor: CVE Published:; 12 May 2026

🔔 Create Langflow-ai Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-42048?

Langflow, a tool designed for creating AI-driven agents and workflows, is affected by a path traversal vulnerability in its Knowledge Bases API (DELETE /api/v1/knowledge_bases). This flaw arises from the failure to properly sanitize and validate user-supplied knowledge base names, which are directly concatenated into file paths. As a result, an authenticated attacker could exploit this vulnerability to delete arbitrary directories on the server's filesystem, causing potential data loss and disruption of services. The issue has been addressed in version 1.9.0.

Affected Version(s)

langflow < 1.9.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-42048
Created by EQSTLab

References

https://github.com/langflow-ai/langflow/security/advisori...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 21, 2026
👾
Exploit known to exist
May 21, 2026
Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 23, 2026

CVE-2026-42048 Data

JSON