Cyber Resilience

CVE-2026-33309

CriticalPublic PoCRCE

Published: 24 March 2026

Published
24 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0142 69.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33309 is a critical-severity Path Traversal (CWE-22) vulnerability in Langflow Langflow. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-33309 is a critical vulnerability in Langflow, an open-source tool for building and deploying AI-powered agents and workflows. It represents a bypass of the patch for the prior CVE-2025-68478 (External Control of File Name) in versions 1.2.0 through 1.8.1. The root issue stems from the `LocalStorageService` component, which lacks boundary containment checks in its underlying storage layer and over-relies on the HTTP-layer `ValidatedFileName` dependency for defense-in-depth. This exposes the `POST /api/v2/files/` endpoint to arbitrary file write attacks, as multipart upload filenames can bypass path-parameter guards. Successful exploitation enables attackers to write files to arbitrary locations on the host system, culminating in remote code execution (RCE). The vulnerability is associated with CWEs-22 (Path Traversal), CWE-73 (External Control of File Name or Path), CWE-94 (Code Injection), and CWE-284 (Improper Access Control), with a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Authenticated attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting malicious multipart uploads to the vulnerable endpoint, they bypass filename validation and achieve arbitrary file writes anywhere on the host filesystem. This primitive directly leads to RCE, as attackers can overwrite critical files or deploy malicious executables, potentially granting full system compromise given the changed scope (S:C) and high impacts across confidentiality, integrity, and availability.

The official advisory at https://github.com/langflow-ai/langflow/security/advisories/GHSA-g2j9-7rj2-gm6c details the patch in version 1.9.0, which addresses the bypass by implementing an updated fix for the `LocalStorageService` architectural flaws. Security practitioners should upgrade to Langflow 1.9.0 or later, restrict access to the `/api/v2/files/` endpoint, and audit file upload handling in custom deployments.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Langflow is a tool for building and deploying AI-powered agents and workflows. Versions 1.2.0 through 1.8.1 have a bypass of the patch for CVE-2025-68478 (External Control of File Name), leading to the root architectural issue within `LocalStorageService` remaining unresolved. Because…

more

the underlying storage layer lacks boundary containment checks, the system relies entirely on the HTTP-layer `ValidatedFileName` dependency. This defense-in-depth failure leaves the `POST /api/v2/files/` endpoint vulnerable to Arbitrary File Write. The multipart upload filename bypasses the path-parameter guard, allowing authenticated attackers to write files anywhere on the host system, leading to Remote Code Execution (RCE). Version 1.9.0 contains an updated fix.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, langflow

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary file write via unauthenticated-accessible API endpoint in exposed Langflow service directly enables public-facing app exploitation (T1190) and web shell deployment for RCE (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7524Same product: Langflow Langflow
CVE-2026-33873Same product: Langflow Langflow
CVE-2026-42048Same product: Langflow Langflow
CVE-2026-27966Same product: Langflow Langflow
CVE-2026-33484Same product: Langflow Langflow
CVE-2026-33017Same product: Langflow Langflow
CVE-2026-33497Same product: Langflow Langflow
CVE-2026-21445Same product: Langflow Langflow
CVE-2026-0770Same product: Langflow Langflow
CVE-2025-34291Same product: Langflow Langflow

Affected Assets

langflow
langflow
1.2.0 — 1.9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Implements input validation and error handling for multipart file upload filenames to prevent path traversal and arbitrary file writes in the POST /api/v2/files/ endpoint.

prevent

Enforces least privilege on the Langflow process to restrict filesystem write locations, limiting the impact of successful arbitrary file writes.

detect

Monitors and verifies integrity of critical system files to detect unauthorized modifications from exploited file writes leading to RCE.

References