Path Traversal Vulnerability in IBM Langflow Product
CVE-2026-8859

9.9CRITICAL

Key Information:

Vendor

IBM

Vendor
CVE Published:
17 July 2026

What is CVE-2026-8859?

A path traversal vulnerability exists in IBM Langflow OSS versions 1.0.0 through 1.10.0, allowing attackers to write arbitrary files to unintended locations. This is due to inadequate input validation in the APIRequest component, particularly when the 'Save to File' feature is active. Filenames extracted from HTTP response Content-Disposition headers can be manipulated to include path traversal sequences such as '../'. If an attacker controls an external HTTP server, they can exploit this flaw to perform unauthorized file writes to locations that the Langflow process can access.

Affected Version(s)

Langflow OSS 1.0.0 <= 1.10.0

References

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Shawn Dong (DongShuaike)
.