CVE-2026-6596: Langflow: DoS Through Lack of File Size Restriction via Deprecated Unauthenticated File Upload API

April 20, 2026 (updated April 24, 2026)

A security flaw has been discovered in langflow-ai langflow up to 1.1.0. This issue affects the function create_upload_file of the file src/backend/base/Langflow/api/v1/endpoints.py of the component API Endpoint. The manipulation results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

References

gist.github.com/chenhouser2025/c2aabfdee41009cfe45d28a9924742a0
github.com/advisories/GHSA-vvfc-fp59-m92g
github.com/langflow-ai/langflow/commit/b5662446bc8c54d928e278d3d26ad95b62425815
nvd.nist.gov/vuln/detail/CVE-2026-6596
vuldb.com/submit/791919
vuldb.com/vuln/358231
vuldb.com/vuln/358231/cti

Code Behaviors & Features

Detect and mitigate CVE-2026-6596 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →