GHSA-9WHX-C884-C68Q

Vulnerability from github – Published: 2026-05-05 18:28 – Updated: 2026-05-13 16:26
VLAI?
Summary
Langflow Knowledge Bases API is Vulnerable to Path Traversal
Details

Summary

Langflow is vulnerable to Path Traversal in the Knowledge Bases API (DELETE /api/v1/knowledge_bases). This occurs because user-supplied knowledge base names are concatenated directly into file paths without proper sanitization or boundary validation. An authenticated attacker can exploit this flaw to delete arbitrary directories anywhere on the server's filesystem, leading to data loss and potential service disruption.

Details

The vulnerability exists in the delete_knowledge_bases_bulk function within src/backend/base/langflow/api/v1/knowledge_bases.py.

This function constructs file paths directly from the user-supplied kb_names parameter. While other knowledge base endpoints safely route through standard path resolution (e.g., _resolve_kb_path()), the bulk delete handler bypasses this entirely. It builds the path manually and passes it directly to shutil.rmtree() without validating if the resulting path resolves outside the intended user directory.

PoC (Proof of Concept)

For the Bulk Delete endpoint, an authenticated attacker can supply a traversal sequence in the kb_names parameter: ../victim_user/kb_name

Because the path is passed directly to shutil.rmtree() without containment checks, this payload deletes directories outside the intended scope.

Impact

Any Langflow instance exposing this endpoint to authenticated users is vulnerable. This exposes the server to: * Cross-user data compromise: Deletion of directories within another tenant's knowledge base space. * Arbitrary filesystem manipulation: Directory deletion at any path on the server where the application has write permissions. * Service disruption & Data Loss: Deletion of critical application files or unrecoverable data loss if backups are co-located on the same filesystem.

Fixes

The issue was addressed in PR #12243, which applies Path.resolve() to normalize the supplied path and validates that it starts with the authenticated user's directory before deletion. Subsequent updates (backported from PR #12337) introduced robust containment checks using Path.is_relative_to() to prevent prefix-ambiguity bugs.

Acknowledgements

Thanks to the security researchers who responsibly disclosed this vulnerability: * @ddlxstudio * @nekros1xx

Severity ?
9.6 (Critical)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.8.4"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "langflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42048"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T18:28:59Z",
    "nvd_published_at": "2026-05-12T18:17:23Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\nLangflow is vulnerable to Path Traversal in the Knowledge Bases API (`DELETE /api/v1/knowledge_bases`). This occurs because user-supplied knowledge base names are concatenated directly into file paths without proper sanitization or boundary validation. An authenticated attacker can exploit this flaw to delete arbitrary directories anywhere on the server\u0027s filesystem, leading to data loss and potential service disruption.\n\n## Details\nThe vulnerability exists in the `delete_knowledge_bases_bulk` function within `src/backend/base/langflow/api/v1/knowledge_bases.py`. \n\nThis function constructs file paths directly from the user-supplied `kb_names` parameter. While other knowledge base endpoints safely route through standard path resolution (e.g., `_resolve_kb_path()`), the bulk delete handler bypasses this entirely. It builds the path manually and passes it directly to `shutil.rmtree()` without validating if the resulting path resolves outside the intended user directory.\n\n## PoC (Proof of Concept)\nFor the **Bulk Delete** endpoint, an authenticated attacker can supply a traversal sequence in the `kb_names` parameter:\n`../victim_user/kb_name`\n\nBecause the path is passed directly to `shutil.rmtree()` without containment checks, this payload deletes directories outside the intended scope.\n\n## Impact\nAny Langflow instance exposing this endpoint to authenticated users is vulnerable. This exposes the server to:\n* **Cross-user data compromise:** Deletion of directories within another tenant\u0027s knowledge base space.\n* **Arbitrary filesystem manipulation:** Directory deletion at any path on the server where the application has write permissions.\n* **Service disruption \u0026 Data Loss:** Deletion of critical application files or unrecoverable data loss if backups are co-located on the same filesystem.\n\n## Fixes\nThe issue was addressed in **PR #12243**, which applies `Path.resolve()` to normalize the supplied path and validates that it starts with the authenticated user\u0027s directory before deletion. Subsequent updates (backported from PR #12337) introduced robust containment checks using `Path.is_relative_to()` to prevent prefix-ambiguity bugs.\n\n## Acknowledgements\nThanks to the security researchers who responsibly disclosed this vulnerability:\n* @ddlxstudio\n* @nekros1xx",
  "id": "GHSA-9whx-c884-c68q",
  "modified": "2026-05-13T16:26:20Z",
  "published": "2026-05-05T18:28:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-9whx-c884-c68q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42048"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langflow-ai/langflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Langflow Knowledge Bases API is Vulnerable to Path Traversal"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.