External risk intelligence

IBM Langflow APIRequest Path Traversal Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-8859

IBM Langflow is a low-code tool for building AI applications, which is commonly deployed as a web-based service or API endpoint. Because it involves processing external HTTP requests and is frequently exposed to developers or users via a web interface to manage AI workflows, it is commonly reachable in networked environments.

Path Traversal

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in IBM Langflow OSS allows an attacker to write files to unintended locations on the system by exploiting a flaw in how filenames are handled when saving to a file. This could lead to the compromise of the affected system or application.

  • Unvalidated filenames permit writing files anywhere.
  • Potential for unauthorized file creation and system impact.
  • Confirm if this tool is used to validate input.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by sending a specially crafted request to a Langflow instance with the "Save to File" feature enabled. This request would originate from an external HTTP server controlled by the attacker and would trick the vulnerable APIRequest component into writing arbitrary files to the Langflow server's file system, potentially overwriting critical system files or gaining unauthorized access.

  • Requires authenticated access.
  • Triggers via crafted filename in HTTP header.
  • Allows arbitrary file writes.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to write arbitrary files to unintended locations on the system where the Langflow process is running, when the "Save to File" feature is enabled and an external HTTP server is controlled by the attacker. This is possible because the system does not properly sanitize filenames provided by an external HTTP server before using them to save files.

  • System files could be overwritten.
  • Crafted filenames could cause path traversal.
  • Compromise of system integrity is possible.

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams responsible for managing AI development platforms and their underlying infrastructure should prioritize addressing this vulnerability. The first practical step is to identify all instances of the affected technology, determine their network reachability and business criticality, and confirm the accountable system owner. Subsequently, a remediation plan can be developed based on the identified risk.

  • Ownership: Platform and application teams.
  • Verify first: Affected asset inventory and exposure.
  • Action: Plan and execute targeted remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is IBM Langflow and what is it used for?

IBM Langflow is an open-source, low-code development platform designed for building and managing AI applications and workflows. It provides a visual interface that allows developers to construct complex language models and data pipelines without writing extensive code. Because it is web-based, it is often deployed as a service where users interact with AI components through a browser or an API.

What does CVE-2026-8859 mean by path traversal?

This vulnerability is classified as CWE-22, which involves improper limitation of a pathname to a restricted directory. In this case, the Langflow APIRequest component fails to sanitize filenames received from external sources. Because the system trusts these filenames, an attacker can insert special characters like '../' to escape the intended directory and save files to unauthorized locations on the server's hard drive.

How can an attacker trigger this vulnerability?

The flaw is triggered when the "Save to File" feature is active within Langflow. An attacker must point the application to an external HTTP server they control. When the application fetches data and receives a response, it reads the filename from the Content-Disposition header. If the feature is disabled, or if the server does not interact with an untrusted external HTTP source, the specific path traversal sequence cannot be processed.

Is my Langflow instance at risk of this attack?

According to Halo Surface Signal, Langflow is commonly deployed as a web-based service or API, making it reachable in many networked environments. If your instance is internet-facing or accessible to users who could influence the external HTTP servers the application interacts with, the risk is higher. You should evaluate if your deployment's network position exposes it to untrusted traffic.

What should I do first to address this issue?

Begin by identifying all running instances of IBM Langflow within your environment to understand your total footprint. Once you have an inventory, determine which instances are business-critical and verify their network reachability. Coordinate with the system owners of these platforms to monitor for suspicious file activity while you develop and execute a plan to apply the necessary security updates.

References