CVE-2026-55450
CriticalCVSS 9.3Exploitation Probability (EPSS)
Low risk22th percentile — higher than 22% of all known CVEs
Summary
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.1, unauthenticated users can upload unlimited amounts of data to the server, leading to space exhaustion. Additionally, the server response reveals the absolute path of the uploaded file, which constitutes an information leak.
Risk Assessment
The organization may face availability issues due to server space exhaustion. The information leak regarding file paths could facilitate attacks on other system components.
Recommendation
It is recommended to upgrade to version 1.9.1 or later to mitigate this vulnerability. Additionally, implementing restrictions on data uploads by unauthenticated users is advisable.
Original NVD description (English source)
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaustion on the server. In addition, in the response, the absolute path of the uploaded file is reported to the attacker, which is an information leak that can assist in chaining other primitives. This vulnerability is fixed in 1.9.1.

