GHSA-PH9W-R52H-28P7

Vulnerability from github – Published: 2026-03-20 20:56 – Updated: 2026-03-27 20:51
VLAI?
Summary
langflow: /profile_pictures/{folder_name}/{file_name} endpoint file reading
Details

Vulnerability

Path Traversal in GET /api/v1/files/profile_pictures/{folder_name}/{file_name}

The download_profile_picture function in src/backend/base/langflow/api/v1/files.py constructed file paths by directly concatenating the user-supplied folder_name and file_name path parameters without sanitization or boundary validation. The resulting path was passed to the filesystem without verifying it remained within the intended directory.

An unauthenticated attacker could supply traversal sequences (e.g. ../secret_key) to navigate outside the profile pictures directory and read arbitrary files on the server filesystem.

This exposed the server to:

  • Sensitive file disclosure — any file readable by the application process could be retrieved
  • Secret key exfiltration — the application's secret_key file, used as JWT signing material, could be read directly via ../secret_key
  • Authentication bypass — with the secret_key in hand, an attacker can forge valid JWT tokens and authenticate as any user, including administrators

Proof of Concept

curl --path-as-is 'http://<host>:7860/api/v1/files/profile_pictures/../secret_key'

A successful response returns the raw secret key value used to sign all JWT authentication tokens in the instance.

Fix

The fix was applied in src/backend/base/langflow/api/v1/files.py (PR #12263).

Two layers of defense were introduced:

1. Typed path validation — the folder_name and file_name parameters were changed from plain str to ValidatedFolderName and ValidatedFileName annotated types that reject traversal characters at the FastAPI input layer.

2. Path containment checkPath.name is used to strip any directory component from the inputs before path construction, and Path.is_relative_to() verifies the resolved path remains within the allowed base directory. This replaces the previous startswith() check, which was susceptible to prefix-ambiguity bugs.

 @router.get("/profile_pictures/{folder_name}/{file_name}")
 async def download_profile_picture(
-    folder_name: str,
-    file_name: str,
+    folder_name: ValidatedFolderName,
+    file_name: ValidatedFileName,
     settings_service: Annotated[SettingsService, Depends(get_settings_service)],
 ):

-        file_path = (config_path / "profile_pictures" / folder_name / file_name).resolve()
+        safe_folder = Path(folder_name).name
+        safe_file = Path(file_name).name
+        file_path = (config_path / "profile_pictures" / safe_folder / safe_file).resolve()

         allowed_base = (config_path / "profile_pictures").resolve()
-        if not str(file_path).startswith(str(allowed_base)):
-            raise HTTPException(status_code=404, detail="Profile picture not found")
+        if not file_path.is_relative_to(allowed_base):
+            raise HTTPException(status_code=404, detail="Profile picture not found")

Workarounds

If you cannot upgrade immediately, restrict network access to the /api/v1/files/profile_pictures/ endpoint at the reverse-proxy or firewall level. Rotating the secret_key is strongly recommended if exposure cannot be ruled out.

Acknowledgements

We thank the security researcher who responsibly disclosed this vulnerability.

Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "langflow"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33497"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-20T20:56:14Z",
    "nvd_published_at": "2026-03-24T14:16:30Z",
    "severity": "HIGH"
  },
  "details": "## Vulnerability\n\n### Path Traversal in `GET /api/v1/files/profile_pictures/{folder_name}/{file_name}`\n\nThe `download_profile_picture` function in `src/backend/base/langflow/api/v1/files.py` constructed file paths by directly concatenating the user-supplied `folder_name` and `file_name` path parameters without sanitization or boundary validation. The resulting path was passed to the filesystem without verifying it remained within the intended directory.\n\nAn unauthenticated attacker could supply traversal sequences (e.g. `../secret_key`) to navigate outside the profile pictures directory and read arbitrary files on the server filesystem.\n\nThis exposed the server to:\n\n- **Sensitive file disclosure** \u2014 any file readable by the application process could be retrieved\n- **Secret key exfiltration** \u2014 the application\u0027s `secret_key` file, used as JWT signing material, could be read directly via `../secret_key`\n- **Authentication bypass** \u2014 with the `secret_key` in hand, an attacker can forge valid JWT tokens and authenticate as any user, including administrators\n\n---\n\n## Proof of Concept\n\n```bash\ncurl --path-as-is \u0027http://\u003chost\u003e:7860/api/v1/files/profile_pictures/../secret_key\u0027\n```\n\nA successful response returns the raw secret key value used to sign all JWT authentication tokens in the instance.\n\n---\n\n## Fix\n\nThe fix was applied in `src/backend/base/langflow/api/v1/files.py` (PR #12263).\n\nTwo layers of defense were introduced:\n\n**1. Typed path validation** \u2014 the `folder_name` and `file_name` parameters were changed from plain `str` to `ValidatedFolderName` and `ValidatedFileName` annotated types that reject traversal characters at the FastAPI input layer.\n\n**2. Path containment check** \u2014 `Path.name` is used to strip any directory component from the inputs before path construction, and `Path.is_relative_to()` verifies the resolved path remains within the allowed base directory. This replaces the previous `startswith()` check, which was susceptible to prefix-ambiguity bugs.\n\n```diff\n @router.get(\"/profile_pictures/{folder_name}/{file_name}\")\n async def download_profile_picture(\n-    folder_name: str,\n-    file_name: str,\n+    folder_name: ValidatedFolderName,\n+    file_name: ValidatedFileName,\n     settings_service: Annotated[SettingsService, Depends(get_settings_service)],\n ):\n```\n\n```diff\n-        file_path = (config_path / \"profile_pictures\" / folder_name / file_name).resolve()\n+        safe_folder = Path(folder_name).name\n+        safe_file = Path(file_name).name\n+        file_path = (config_path / \"profile_pictures\" / safe_folder / safe_file).resolve()\n\n         allowed_base = (config_path / \"profile_pictures\").resolve()\n-        if not str(file_path).startswith(str(allowed_base)):\n-            raise HTTPException(status_code=404, detail=\"Profile picture not found\")\n+        if not file_path.is_relative_to(allowed_base):\n+            raise HTTPException(status_code=404, detail=\"Profile picture not found\")\n```\n\n---\n\n## Workarounds\n\nIf you cannot upgrade immediately, restrict network access to the `/api/v1/files/profile_pictures/` endpoint at the reverse-proxy or firewall level. Rotating the `secret_key` is strongly recommended if exposure cannot be ruled out.\n\n---\n\n## Acknowledgements\n\nWe thank the security researcher who responsibly disclosed this vulnerability.\n\n- [r00tuser111](https://github.com/r00tuser111)",
  "id": "GHSA-ph9w-r52h-28p7",
  "modified": "2026-03-27T20:51:07Z",
  "published": "2026-03-20T20:56:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/langflow-ai/langflow/security/advisories/GHSA-ph9w-r52h-28p7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33497"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/langflow-ai/langflow"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "langflow: /profile_pictures/{folder_name}/{file_name} endpoint file reading"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.