Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-55446EXPLOITEDPATCHED

langflow · langflow

Langflow: Unauthenticated DoS through multipart form boundary file upload

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.0.19, an attacker can send a /api/v1/files/upload/ request without any authentication token/cookies and abuse a very long multipart form boundary to make the langflow app unusable for all users for an indefinite amount of time. This vulnerability is fixed in 1.0.19.

Affected Products

Vendor	Product	Versions
langflow	langflow	< 1.0.19, 1.0.18

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	langflow	cert_advisory	90%

References

https://github.com/langflow-ai/langflow/security/advisories/GHSA-qwqc-p3q8-wcg9(x_refsource_CONFIRM)
https://github.com/langflow-ai/langflow/pull/3923(x_refsource_MISC)

Related News (2 articles)

Tier C

VulDB4d ago

CVE-2026-55446 | langflow-ai langflow up to 1.0.18 /api/v1/files/upload resource consumption (GHSA-qwqc-p3q8-wcg9)

→ No new info (linked only)

Tier B

BSI Advisories5d ago

[NEU] [hoch] Langflow: Mehrere Schwachstellen

→ No new info (linked only)

CVSS 3.17.5 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

langflow@1.0.19

CWECWE-400

PublishedJun 19, 2026

Last enriched4d agov2

Tags

GHSA-qwqc-p3q8-wcg9pip

Trending Score38

Source articles2

Independent2

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-55255EXPKEV

Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow

CRITICALCVE-2026-48519EXP

Langflow: Unauthenticated RCE in Shareable Playgrounds

CRITICALCVE-2026-42867EXP

Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint

HIGHCVE-2026-55450EXP

Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak

HIGHCVE-2026-55423

Langflow: Logout button does not clear session

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 19, 2026

Discovered by ZDM

Jun 19, 2026

Actively Exploited

Jun 23, 2026

Patch Available

Jun 23, 2026

Updated: affectedVersions, severity, activelyExploited

Jun 23, 2026

Version History

v2

Last enriched 4d ago

v2Tier C4d ago

Updated affected versions to include 1.0.18, changed severity to MEDIUM, and noted that no exploit is available.

affectedVersionsseverityactivelyExploited

via VulDB

v18d ago

Initial creation