Active RCE Exploits Target 7,000 Exposed Langflow Instances

Attackers are actively exploiting a high-severity path traversal vulnerability in the AI development platform Langflow to achieve unauthenticated remote code execution. Security researchers from VulnCheck and Tenable reported the active exploitation of CVE-2026-5027 on June 10, following days of honeypot detections. The vulnerability allows attackers to write arbitrary files to the host filesystem, resulting in full server compromise for unpatched systems.

Exploitation Path and Auto-Login Bypass

The core vulnerability exists in Langflow’s file upload handling. The platform fails to sanitize the filename parameter within multipart form data sent to the POST /api/v2/files endpoint. Attackers leverage standard “dot-dot-slash” (../) directory traversal sequences to break out of the intended upload directory and write malicious files, such as web shells or cron jobs, anywhere on the host filesystem.

This path traversal is trivial to execute because it reliably bypasses authentication in standard deployments. Langflow ships with an AUTO_LOGIN feature that is frequently enabled by default. VulnCheck security researcher Caitlin Condon noted that this configuration provides a virtually nonexistent barrier to entry. A single unauthenticated request grants the attacker a valid session token, which they immediately use to access the vulnerable file upload endpoint.

Between June 8 and June 9, security honeypots began logging attackers dropping “test files” to verify the directory traversal worked before escalating to destructive remote code execution payloads. This fits a broader pattern of AI exploit chains targeting orchestration layers rather than the models themselves.

Remediation and Ecosystem Context

Censys scans indicate that approximately 7,000 Langflow instances are currently exposed to the public internet, predominantly in North America. Exploitation of CVE-2026-5027 carries a CVSS score of 8.8.

If you deploy AI agent frameworks in production, this incident highlights the risk of exposing orchestration endpoints to the public internet. The AI ecosystem has struggled with incomplete vulnerability remediation throughout early 2026. For example, JFrog researchers previously demonstrated that a fix for an earlier Langflow vulnerability (CVE-2026-33017) in version 1.8.2 could be bypassed, requiring a second patch.

Component	Vulnerable Versions	Patched Version
langflow-base	< 0.8.3	0.8.3
Langflow	< 1.9.0	1.9.0

Update your Langflow deployments to version 1.9.0 immediately. If your instance was publicly exposed prior to applying the patch, assume compromise and audit your host filesystem for unauthorized cron jobs, web shells, or unfamiliar files matching the timestamps of the initial exploitation wave.