CVE-2026-42867: Langflow: Path Traversal in Knowledge Bases API via Creation Endpoint

June 16, 2026

Langflow is vulnerable to Path Traversal in the Knowledge Bases API (POST /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are used directly to create file paths without proper sanitization or containment checks. An authenticated attacker can exploit this flaw to create directories and write files anywhere on the server’s filesystem.

References

github.com/advisories/GHSA-79ph-745m-6wxq
github.com/langflow-ai/langflow/pull/12337
github.com/langflow-ai/langflow/security/advisories/GHSA-79ph-745m-6wxq
nvd.nist.gov/vuln/detail/CVE-2026-42867

Code Behaviors & Features

Detect and mitigate CVE-2026-42867 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →