CVE-2026-6596
Published: 20 April 2026
Summary
CVE-2026-6596 is a medium-severity Improper Access Control (CWE-284) vulnerability. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as LLM Application Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-6596 is a vulnerability enabling unrestricted file upload in langflow-ai/langflow versions up to 1.1.0. The issue resides in the create_upload_file function located in src/backend/base/Langflow/api/v1/endpoints.py within the API Endpoint component.
Attackers can exploit this remotely without authentication or user interaction, requiring only low complexity, as reflected in the CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Exploitation allows uploading arbitrary files, resulting in low impacts to confidentiality, integrity, and availability, associated with CWEs 284 (Improper Access Control) and 434 (Unrestricted Upload of File with Dangerous Type).
VulDB advisories indicate the vendor was contacted early for disclosure but provided no response, with no patches or official mitigations available. A public exploit is hosted on GitHub Gist and may be used in attacks.
Langflow, an AI workflow tool, makes this relevant to AI/ML deployments, and the public exploit raises risks of real-world abuse in exposed instances.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23745
Vulnerability details
A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function create_upload_file of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack…
more
remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
AI Security AnalysisAI
- AI Category
- LLM Application Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, langflow
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unrestricted file upload in public-facing API enables remote exploitation of the application (T1190) and direct upload of arbitrary files including web shells (T1100) or other tools (T1105).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations on the API endpoint to prevent unauthorized unrestricted file uploads exploiting improper access control (CWE-284).
Validates inputs to the create_upload_file function to block unrestricted uploads of dangerous file types (CWE-434).
Requires timely identification, reporting, and remediation of the specific flaw in langflow's API endpoint, including monitoring for patches despite vendor non-response.