#What are the recent vulnerabilities in Langflow?
Recent developments indicate that building AI agents with Langflow requires immediate attention. Approximately 7,000 publicly accessible Langflow servers are facing attacks stemming from significant vulnerabilities, including some which affect the LangChain and LangGraph frameworks as well.
The vulnerabilities have proven so critical that the Cybersecurity and Infrastructure Security Agency has added several Langflow CVEs to its Known Exploited Vulnerabilities catalog.
#How serious are these vulnerabilities?
One particularly concerning vulnerability is CVE-2026-5027, a path traversal issue within Langflow’s file upload feature. This flaw has a critical CVSS score of 8.8. An attacker can execute arbitrary file writing to the server just by sending a specially crafted POST request containing unsanitized filenames to the /api/v2/files endpoint. This vulnerability can escalate into full remote code execution, compromising the entire system.
Another noteworthy vulnerability, CVE-2026-33017, disclosed in March, allows unauthenticated remote code execution through a public flow build endpoint, with exploits surfacing within a mere 20 hours of its announcement. Furthermore, the CVE-2025-3248 vulnerability affected earlier versions of Langflow and enabled significant exploitation, contributing to the Flodrix botnet's rise. CISA listed this vulnerability in its KEV catalog in May 2025, compelling federal agencies to address it urgently.
#What is the relationship between Langflow and other frameworks?
Langflow operates on top of the LangChain ecosystem, which integrates LangGraph for constructing stateful AI agent workflows. In March 2026, separate high-severity vulnerabilities in LangChain and LangGraph were revealed, each carrying a CVSS score of 9.3. With these frameworks garnering over 60 million weekly downloads, the combined vulnerabilities heighten the risk for companies running Langflow on affected versions of LangChain or LangGraph.
#Why are numerous servers left exposed?
The high number of vulnerable Langflow instances, primarily located in North America, stems mainly from default auto-login configurations. Many instances seem to have been set up for testing purposes but were left running with internet-accessible endpoints and insufficient authentication.
Security researchers highlight the alarming trend of time-to-exploit being measured in mere hours. This rapid pace far outstrips traditional patch cycles, making organizations dependent on weekly or monthly updates vulnerable.
#What should you do if you use Langflow?
If you are utilizing Langflow commercially, it is imperative to apply patches immediately, disable auto-login, and restrict network access to your servers. The trend of swift exploitation targeting Langflow indicates that attackers have recognized AI development platforms as prime targets that offer easy access to sensitive data, API keys, and connections to production databases.
The situation of these 7,000 exposed instances serves as a stark reminder of the risks associated with prioritizing ease of use over security awareness in the rapidly evolving field of AI development tools.
Ensuring your AI infrastructure remains secure is not merely a precaution; it is an essential part of responsible management in an era where such tools are increasingly accessible.