Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and...

9.3 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaustion on the server. In addition, in the response, the absolute path of the uploaded file is reported to the attacker, which is an information leak that can assist in chaining other primitives. This vulnerability is fixed in 1.9.1.

AI Analysis

Unauthenticated file upload vulnerability leading to space exhaustion and information leak

Basic Information

ID CVE-2026-55450

Source GitHub_M

Published Jun 23, 2026 at 16:17

Modified Jun 23, 2026 at 17:02

Affected Product

Vendor langflow-ai

Product langflow

Version < 1.9.1

Affected Versions langflow-ai langflow < 1.9.1

CWE Classification

CWE-200 CWE-306 CWE-400

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor Langflow-ai

Product Langflow

Version < 1.9.1

References

{
    "lastseen": "",
    "description": "Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaustion on the server. In addition, in the response, the absolute path of the uploaded file is reported to the attacker, which is an information leak that can assist in chaining other primitives. This vulnerability is fixed in 1.9.1.",
    "published": "2026-06-23T16:17:52.168Z",
    "modified": "2026-06-23T17:02:55.053Z",
    "type": "cve",
    "title": "Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak",
    "source": "GitHub_M",
    "references": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-x223-p2gf-v735\nhttps://github.com/langflow-ai/langflow/pull/12831",
    "id": "CVE-2026-55450",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200",
        "CWE-306",
        "CWE-400"
    ],
    "cvelist": null,
    "sourceData": "langflow-ai langflow < 1.9.1",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "langflow",
    "version": "< 1.9.1",
    "vendor": "langflow-ai",
    "ai_description": "Unauthenticated file upload vulnerability leading to space exhaustion and information leak",
    "ai_severity": "Critical",
    "ai_vendor": "Langflow-ai",
    "ai_product": "Langflow",
    "ai_version": "< 1.9.1",
    "ai_score": 9.3
}

Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak_CVE-2026-55450