CVE-2026-55447: Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit

All components based on BaseFileComponent are vulnerable to the following vulnerability:

  1. Docling (DoclingInlineComponent)
  2. Docling Serve (DoclingRemoteComponent)
  3. Read File (FileComponent)
  4. NVIDIA Retriever Extraction (NvidiaIngestComponent)
  5. Video File (VideoFileComponent)
  6. Unstructured API (UnstructuredComponent)

For clarity, from now on I’ll only refer to Read File component.

The Read File node processes user-controlled files. Example scenario is a RAG chatbot - a system that allows users of an organization to ask questions about documents saved in the organizations.

By controlling a files that are digested into the RAG, an attacker can direct the node to read any file on the file-system by absolute path.

Using this vulnerability an attacker can acheive RCE:

  1. Upload a file that directs the node to read Langflow’s secret_key file containing the JWT token secret.
  2. This would allow the attacker then to simply task the Chatbot for the JWT secret.
  3. Using this secret, the attacker then crafts a JWT token for any user-id, bypassing authentication.
  4. Code execution is then trivial - simply create a new flow with “Python Interpreter” node, fill it with arbitrary Python code and execute it.

Tested on commit 2d67402b1dbaefcbce85a244d4a6cd5e4bda1cfe

References

Code Behaviors & Features

Detect and mitigate CVE-2026-55447 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →