Zero Day MonitorZDM

← Back to list

9.3

CVE-2026-55450EXPLOITEDPATCHED

langflow · langflow

Langflow: Unauthenticated file upload leads to DoS (space exhaustion) and information leak

Description

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.1, unauthenticated users can upload any amount of data to the server without any limitations. No need for any prior knowledge, only network access to Langflow. This can lead to space exhaustion on the server. In addition, in the response, the absolute path of the uploaded file is reported to the attacker, which is an information leak that can assist in chaining other primitives. This vulnerability is fixed in 1.9.1.

Affected Products

Vendor	Product	Versions
langflow	langflow	< 1.9.1, 1.9.0

References

https://github.com/langflow-ai/langflow/security/advisories/GHSA-x223-p2gf-v735(x_refsource_CONFIRM)
https://github.com/langflow-ai/langflow/pull/12831(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB4d ago

CVE-2026-55450 | langflow-ai langflow up to 1.9.0 Uploaded File information disclosure (GHSA-x223-p2gf-v735)

→ No new info (linked only)

CVSS 3.19.3 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

null

CWECWE-200, CWE-306, CWE-400

PublishedJun 17, 2026

Last enriched4d agov2

Tags

GHSA-x223-p2gf-v735pip

Trending Score34

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-55255EXPKEV

Langflow: IDOR Vulnerability in `/api/v1/responses` Endpoint Allows Authenticated Attackers to Access Another User's Flow

CRITICALCVE-2026-48519EXP

Langflow: Unauthenticated RCE in Shareable Playgrounds

MEDIUMCVE-2026-55446EXP

Langflow: Unauthenticated DoS through multipart form boundary file upload

CRITICALCVE-2026-42867EXP

Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint

HIGHCVE-2026-55423

Langflow: Logout button does not clear session

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Jun 17, 2026

Discovered by ZDM

Jun 17, 2026

Actively Exploited

Jun 23, 2026

Patch Available

Jun 23, 2026

Updated: affectedVersions, severity, activelyExploited, patchAvailable

Jun 23, 2026

Version History

v2

Last enriched 4d ago

v2Tier C4d ago

Updated affected versions to include 1.9.0, changed severity to HIGH, and noted that no exploit is available.

affectedVersionsseverityactivelyExploitedpatchAvailable

via VulDB

v110d ago

Initial creation