External risk intelligence

Attacker can delete files with Langflow Knowledge Bases API

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-42048

An internal attacker with valid login credentials can exploit a flaw in Langflow to delete files from the server. This could lead to permanent data loss and critical service disruptions for the business.

3Halo Surface Signal

Path Traversal

Langflow

before 1.9.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-42048

The vulnerability affects a web-based API in Langflow, a tool for AI workflows. These applications are often deployed as web services that may be internet-facing to enable remote team access, but they are also frequently restricted to internal networks. Because specific deployment patterns vary widely between internal and external use cases, public reachability is possible rather than standard.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability in Langflow allows an authenticated user to delete files and directories on the server. Because the tool handles user-provided names directly in file operations, an attacker can bypass intended restrictions. This could lead to significant data loss and disrupt AI-powered services.

  • Can affect any Langflow deployment.
  • Leads to data loss or service disruption.
  • Requires existing access to exploit.

Attack Path

How an attacker could exploit the issue

An authenticated attacker can exploit this path traversal flaw in Langflow to delete arbitrary directories on the server's filesystem. This is achieved by manipulating knowledge base names passed to the Knowledge Bases API, allowing them to control file paths and remove critical data or configuration files. Such an action could lead to significant data loss or disrupt the application's operation.

  • Requires authenticated access.
  • Targets the Knowledge Bases API.
  • Deletes arbitrary directories.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows an authenticated attacker to delete arbitrary directories. While requiring authentication, the ability to impact filesystem integrity makes it a serious threat, especially if Langflow instances are exposed externally. The core issue stems from improper handling of user-supplied names in an API endpoint.

  • Vulnerability is in API.
  • Affects file system deletion.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize patching Langflow to version 1.9.0 or later immediately due to the critical path traversal vulnerability. If patching is not feasible, implement strict access controls and network segmentation to limit exposure of the affected API.

  • Upgrade Langflow to 1.9.0.
  • Restrict API access and monitor for deletion activity.
  • Validate all filesystem paths.

Frequently asked questions

What is Langflow and how is it used?

Langflow is an open-source platform for building and deploying AI-powered agents and workflows using a visual, low-code interface. It allows users to connect components like language models, databases, and APIs to create applications such as chatbots, data analysis tools, and automated systems without extensive coding.

What kind of vulnerability does CVE-2026-42048 represent?

CVE-2026-42048 is a path traversal vulnerability, also known as CWE-22. This means that the software does not properly validate user-supplied input when constructing file paths, allowing an attacker to access or manipulate files and directories outside of their intended scope.

What are the preconditions for exploiting CVE-2026-42048?

To exploit this vulnerability, an attacker must first have authenticated access to the Langflow application. They can then manipulate names provided to the Knowledge Bases API to craft file paths that point to arbitrary directories on the server, leading to their deletion.

Who should be concerned about this CVE based on its exposure?

Organizations using Langflow should be concerned about this vulnerability. While Langflow applications can be deployed in various ways, those that are internet-facing or accessible from untrusted networks (external exposure) present a higher risk. However, internal deployments are also at risk if an attacker gains authenticated access. [cite:19, haloSurfaceSignal]

What is the first step to take if running affected Langflow versions?

The immediate first step is to upgrade Langflow to version 1.9.0 or later, as this version contains the fix for the vulnerability. If immediate patching is not possible, consider implementing strict access controls and network segmentation to limit the exposure of the affected API.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified