CVE Catalog

CVE-2026-55450

CriticalCVSS 9.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

22th percentile — higher than 22% of all known CVEs

Summary

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.9.1, unauthenticated users can upload unlimited amounts of data to the server, leading to space exhaustion. Additionally, the server response reveals the absolute path of the uploaded file, which constitutes an information leak.

Risk Assessment

The organization may face availability issues due to server space exhaustion. The information leak regarding file paths could facilitate attacks on other system components.

Recommendation

It is recommended to upgrade to version 1.9.1 or later to mitigate this vulnerability. Additionally, implementing restrictions on data uploads by unauthenticated users is advisable.

Original NVD description (English source)

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaustion on the server. In addition, in the response, the absolute path of the uploaded file is reported to the attacker, which is an information leak that can assist in chaining other primitives. This vulnerability is fixed in 1.9.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS